On Tue, 12 Apr 2005 15:04:20 EDT, Stephen Smalley said: > No, you don't want to pull in the locally customized users into the > source tree or policy build; they are incorporated into the policy load > automatically via sepol_genusers(3) by load_policy and /sbin/init. OK... > Hmm..we specifically disabled checking of file_contexts.homedirs by the > setfiles -c validation performed by the policy Makefile, but then added > it back again to genhomedircon for runtime updates. But that makes no > sense, as the binary policy file doesn't have the user identities. Mea > culpa. Option are 1) strip the setfiles -c validation from > genhomedircon, or 2) have genhomedircon build a temporary binary policy > file via genpolusers that includes the full set of user identities and > apply setfiles -c using that file. Well.. assuming (hah!) that the current policy load has the right user list in it (i.e. that seuser or similar tools have kept things up to date), there's no real reason for the -c in "normal production" use. Do we ever need to run genhomedircon against a non-loaded policy (major upgrades like FC3->FC4 where we're booted of a CD, or an RPM upgrade of one of the SELinux tools where we need to get ducks lined up in an RPM pre/post scriptlet)?
Description: PGP signature