How to properly upgrade policy
Jeff Johnson
n3npq at nc.rr.com
Fri Jun 25 22:31:36 UTC 2004
Tom London wrote:
> These are VERY nice changes, automating what I've been doing manually.
>
> An observation: the package 'install' process has gotten much better
> with file
> contexts.
Well, that isn't a complement to rpm, but rather that policy is changing
much more carefully imho.
>
> Any thoughts on automating the assignment of file contexts to the
> files created by package scripts (e.g., /boot/grub/grub.conf, depmod
> files,
> /etc/selinux/config, ...)? Would be nice to have a 'SELinux package
> description' that describes the package's desired/default contexts. That
> would allow inspection prior to install, tools to check consistency with
> installed file_contexts, etc. 'rpm -q --filecontext' is almost
> it. Any way to add the other stuff to it, or something like it?
Sure there's been thought, as well as a request for a syntax marker
within package headers for files generated as a side effect of
doing a package install.
This is not going to work mostly because the side effect file probably
does not exist when a package is installed, and hence there's no way
set the file context from within the installer because the file is not being
\created by the installer.
The deeper problem is not the handful (perhaps big) of files that
are created as a side effect of installing a package, but rather
files in /home which are not (and will never be) in a package at all.
So the current thought is to attempt to set file contexts not only when
installing a package, but also through other means, like a cron script.
The slocate database has been suggested as a means to enumerate all paths
for appling the existing file context regexes. That will work, but will
probably (I haven't checked yet) the file type as well.
73 de Jeff
More information about the fedora-selinux-list
mailing list