[apt-rpm] apt and selinux (was: Re: restorecon vs. setfiles)
Panu Matilainen
pmatilai at welho.com
Tue Jun 29 10:00:37 UTC 2004
On Mon, 28 Jun 2004, Gary Peck wrote:
> On Mon, Jun 28, 2004 at 02:53:52PM -0400, Stephen Smalley wrote:
> > On Mon, 2004-06-28 at 09:11, Panu Matilainen wrote:
> > > I wouldn't call it an apt-problem, you just need to put it into same
> > > context as rpm. This should already be the case on Fedora Core 2, dunno
> > > about upstream selinux policy packages - this is from stock FC2
> > > /etc/security/selinux/src/policy/file_contexts/program/rpm.fc:
> > > /usr/bin/apt-get -- system_u:object_r:rpm_exec_t
> > > /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
> > > /usr/bin/synaptic -- system_u:object_r:rpm_exec_t
>
> The context is not the problem. I'm running the targeted policy from
> FCdev, which makes both /bin/rpm and /usr/bin/apt*
> system_u:object_r:bin_t. rpm works fine, however, whereas apt-get does
> not.
Ok, the policy has changed in the development tree since FC2 release,
apt-rpm *was* working ok with the above context settings the last I
looked.
>
> > It isn't just a policy issue; rpm had to be modified for SELinux to
> > set file security contexts when creating files. Those changes are in
> > the upstream rpm, and yum seems to work as expected when updating.
>
> I believe apt needs similar modifications. The attached patch to apt
> fixes the problem for me. I'm not too familiar with rpm, apt, or selinux
> internals, so this patch might need some work. I just took the code
> from rpm's lib/rpminstall.c/rpmInstall() function which seemed to be
> missing in apt's apt-pkg/rpm/rpmpm.cc/pkgRPMLibPM::Process() function.
Much of the code in pkgRPMLibPM is lifted more-or-less directly from
rpmInstall(), no problem with that :) I'll have a closer look at this one
of these days but basically the patch seems fine to me if that's what rpm
itself does.
- Panu -
More information about the fedora-selinux-list
mailing list