431 kernel install - file contexts fixed! (was Re: avc denied from kernel 427 update)

[Tom London]

New packages improve things dramatically. I just did a 'yum update 
kernel*' to install the 431 kernel from Arjan's tree. The install 
succeeded, and I was running in enforcing mode.

The context labels now appear to be correct except for those created by 
'depmod', 'mkinitrd' and the fiddling with /boot/grub/grub.conf. (Files 
installed from kernel-sourcecode package are all correctly labeled!) 
Except for grub.conf, the types appear correct but the user is 'root' 
instead of 'system_u'.  grub.conf is labeled 'root:object_r:boot_t' 
instead of 'system_u:object_r:boot_runtime_t'.

(Are 'restorecon' commands needed in the postinstall scriptlet? elsewhere?)

tom

[BTW, the system boots fine even without fixing the labels mentioned above.]


Tom London wrote:

> Hmmm.... worked for me.  I'm running 427 on two machines.  One with 
> the 'old policy' stuff, the other with all the latest packages from 
> the development tree (including 'new selinux-policy' stuff).
>
> A suggestion from Stephen Smalley may help you. I haven't tried to 
> install a new kernel since doing this. Also, I noticed an updated rpm 
> package in the development tree.....
>
> tom
> ------------------------------------------------------------------------
>
>    * /From/: Stephen Smalley <sds epoch ncsc mil>
>    * /Date/: Thu, 10 Jun 2004 15:30:09 -0400
>
> ------------------------------------------------------------------------
>
> On Tue, 2004-06-08 at 23:25, Tom London wrote:
>
>> [On my system, yum/rpm seem not to be correctly labeling installed 
>> files, so I manually check and change via 'fixfiles' or 'setfiles' as 
>> appropriate.
>
>
> This is because rpm hasn't been updated for the new policy layout, so it
> cannot find the file_contexts configuration.  Until it is updated, I
> have just created a symlink, i.e.
> ln -sf /etc/selinux/strict/contexts/files/file_contexts 
> /etc/security/selinux/file_contexts
>