[apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles)

Panu Matilainen pmatilai at welho.com
Mon Jun 28 13:11:37 UTC 2004 

On Sat, 26 Jun 2004, Gary Peck wrote:

> On Sat, Jun 26, 2004 at 05:12:34PM -0700, Gary Peck wrote:
> > Could this be an issue with apt? I'm actually using apt-get to install
> > these packages. When I tried using "rpm -Uvh ..." directly, it seemed to
> > set the contexts correctly as you say. However, when I did it with
> > apt-get again, I saw the same problem. Here's some files from the
> > mozilla package with their correct contexts:
> > 
> > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so
> > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so
> > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so
> > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so
> > 
> > Then I run "apt-get install mozilla", which upgrades mozilla from
> > 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new
> > version of mozilla) have the following contexts:
> > 
> > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so
> > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so
> > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so
> > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so
> > 
> > I assumed that apt's behaviour should be the same since it's just using
> > rpm underneath, but maybe there's extra rpm API calls that need to be
> > made by apt when it's running on a SELinux system?
> > 
> > This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4.
> 
> Ok, I'm pretty sure it's an apt problem now. I tried installing the same
> package twice, once with apt using the rpm API directly (apt-get install
> ...), and once with apt calling the rpm binary externally (apt-get -o
> RPM::PM="external" install ...). When using the API, I see the same
> problem as above. When calling the rpm binary, the contexts get set
> correctly.
> 
> I've CC'ed the apt-rpm list as it's probably a more appropriate place
> for this discussion. Anyone there care to comment?

I wouldn't call it an apt-problem, you just need to put it into same 
context as rpm. This should already be the case on Fedora Core 2, dunno 
about upstream selinux policy packages - this is from stock FC2 
/etc/security/selinux/src/policy/file_contexts/program/rpm.fc:
/usr/bin/apt-get        --      system_u:object_r:rpm_exec_t
/usr/bin/apt-shell      --      system_u:object_r:rpm_exec_t
/usr/bin/synaptic   --          system_u:object_r:rpm_exec_t

	- Panu -

More information about the fedora-selinux-list mailing list