How to make SELinux file context permanent?

Ivan Gyurdiev ivg2 at cornell.edu
Tue Apr 4 05:44:29 UTC 2006


Leszek Matok wrote:
> Dnia 03-04-2006, pon o godzinie 19:52 -0400, Ivan Gyurdiev napisał(a):
>   
>> Creating a policy module should not be necessary - you can use the 
>> semanage command with the fcontext option to add file context 
>> specification to the local config. However, adding a workaround is *not* 
>> the correct solution.
>>     
> Please explain. Why is binding the context to the packaged file a
> workaround, while maintaining one big list of all files that people
> possibly could put on their systems (year, right, dream on) is a
> solution?
>   
Neither is a solution, the correct solution is to remove the need for 
text relocation in the first place if possible. As far as modules are 
concerned, I agree that this is the long-term goal, but AFAIK how 
modules will work with rpm has yet to be worked out - I believe Dan 
Walsh is working on this, I am not sure what the current status is.
> For me it's natural that a file context is bound to the file and should
> be transported with it/stay sticked to it. semanage is already somewhat
> portable (I can check for its presence, I can check for particular
> type/role I'm interested in - my RPM package can still be installed on
> any system, regardless of SELinux presence, policies and so on), and
> remember it doesn't really need to if I know what system I'm building
> for (and this is Fedora Extras, not a "Build a completely cross-distro
> RPM packages-HowTo").
>   
Yes, file context need to be stored in the package, nobody is arguing 
against modularity. Separating compile-time and link-time are just part 
of the problem, however - the other details still have to be worked out 
about how modules will be installed alongside the standard rpm transaction.




More information about the fedora-extras-list mailing list