restorecon vs. setfiles
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jun 25 16:59:21 UTC 2004
On Fri, 2004-06-25 at 12:34, Gary Peck wrote:
> Looks like a similar bug might be present in rpm, or at least the end
> result is similar. Whenever I install new RPM's from Rawhide, *.so*
> files get installed with object_r:lib_t context. If I run
> "/sbin/fixfiles restore" right afterward, they get relabeled back to
> object_r:shlib_t. Either rpm has an old policy version on the Rawhide
> build machines, or it's not labeling files correctly.
>
> Also, the dev package in Rawhide comes with all files labeled as
> object_r:device_t. After running fixfiles, some of those get relabeled
> to the correct object_r:fixed_disk_device_t, object_r:tty_device_t,
> object_r:sound_device_t, etc. dev should have the correct contexts to
> begin with. Various files in /usr/sbin also don't have the correct
> contexts as shipped in the RPM's.
>
> This is all with selinux-policy-targeted-1.13.8-1,
> policycoreutils-1.13.3-2, and rpm-4.3.2-0.4.
I don't believe that rpm is computing file contexts at package build
time anymore, since there are multiple policies (strict and targeted)
now. It should instead compute the file contexts when unpacking the
package based on your local file_contexts configuration, whose path is
obtained from /usr/lib/rpm/macros using /etc/selinux/config to determine
the active policy. It seems to be working for me.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list