apt and selinux (was: Re: restorecon vs. setfiles)

Gary Peck gbpeck at sbcglobal.net
Sun Jun 27 00:27:42 UTC 2004


On Sat, Jun 26, 2004 at 05:12:34PM -0700, Gary Peck wrote:
> Could this be an issue with apt? I'm actually using apt-get to install
> these packages. When I tried using "rpm -Uvh ..." directly, it seemed to
> set the contexts correctly as you say. However, when I did it with
> apt-get again, I saw the same problem. Here's some files from the
> mozilla package with their correct contexts:
> 
> system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so
> system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so
> system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so
> system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so
> 
> Then I run "apt-get install mozilla", which upgrades mozilla from
> 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new
> version of mozilla) have the following contexts:
> 
> root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so
> root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so
> root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so
> root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so
> 
> I assumed that apt's behaviour should be the same since it's just using
> rpm underneath, but maybe there's extra rpm API calls that need to be
> made by apt when it's running on a SELinux system?
> 
> This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4.

Ok, I'm pretty sure it's an apt problem now. I tried installing the same
package twice, once with apt using the rpm API directly (apt-get install
...), and once with apt calling the rpm binary externally (apt-get -o
RPM::PM="external" install ...). When using the API, I see the same
problem as above. When calling the rpm binary, the contexts get set
correctly.

I've CC'ed the apt-rpm list as it's probably a more appropriate place
for this discussion. Anyone there care to comment?

gary




More information about the fedora-selinux-list mailing list