How to make SELinux file context permanent?
ivg2 at cornell.edu
Tue Apr 4 05:44:29 UTC 2006
Leszek Matok wrote:
> Dnia 03-04-2006, pon o godzinie 19:52 -0400, Ivan Gyurdiev napisał(a):
>> Creating a policy module should not be necessary - you can use the
>> semanage command with the fcontext option to add file context
>> specification to the local config. However, adding a workaround is *not*
>> the correct solution.
> Please explain. Why is binding the context to the packaged file a
> workaround, while maintaining one big list of all files that people
> possibly could put on their systems (year, right, dream on) is a
Neither is a solution, the correct solution is to remove the need for
text relocation in the first place if possible. As far as modules are
concerned, I agree that this is the long-term goal, but AFAIK how
modules will work with rpm has yet to be worked out - I believe Dan
Walsh is working on this, I am not sure what the current status is.
> For me it's natural that a file context is bound to the file and should
> be transported with it/stay sticked to it. semanage is already somewhat
> portable (I can check for its presence, I can check for particular
> type/role I'm interested in - my RPM package can still be installed on
> any system, regardless of SELinux presence, policies and so on), and
> remember it doesn't really need to if I know what system I'm building
> for (and this is Fedora Extras, not a "Build a completely cross-distro
> RPM packages-HowTo").
Yes, file context need to be stored in the package, nobody is arguing
against modularity. Separating compile-time and link-time are just part
of the problem, however - the other details still have to be worked out
about how modules will be installed alongside the standard rpm transaction.
More information about the fedora-extras-list