livecd-creator + selinux

Daniel J Walsh dwalsh at redhat.com
Fri May 16 11:56:24 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
| On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
|> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
|>> #4 At the end of the rpm transaction when everything is installed it
|>> calls restorecon and I get one for (I assume) every file almost all of
|>> which look like:
|>>
|>> /sbin/restorecon reset /srv context
system_u:object_r:var_t:s0->system_u:object_r:var_t:s0
|>>
|>> Notice nothing changed?  Again I assume its my hack of a /selinux which
|>> causes it and I'll try to run down why, but maybe someone else sees that
|>> quickly.
|> That suggests it is being called with the -f (force) flag from
|> e.g. /sbin/fixfiles.  selinux-policy.spec does a
|> 	fixfiles -C file_contexts.pre restore
|>
|> fixfiles -C does a diff between the old and new file contexts
|> configurations and applies restorecon to the result. There is some
|> serious magic in there, and it is all Dan's fault ;)
|
| ok, in the livecd-creator kickstart.py I see
|
|         if os.path.exists(self.path("/sbin/restorecon")):
|             self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F",
"-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
|
| So there is our -F.  Is there a way to get it to fix "user" without
| getting it to fix "things that aren't wrong"
|
| -Eric
|
Remove the -v

Although this looks wrong and makes no sense in restorecon/setfiles.


	/*
	 * Do not relabel the file if the matching specification is
	 * <<none>> or the file is already labeled according to the
	 * specification.
	 */
	if ((strcmp(newcon, "<<none>>") == 0) ||
	    (context && (strcmp(context, newcon) == 0) && !force)) {
		freecon(context);
		goto out;
	}

The !force check should be removed.   It makes no send to relabel in the
case of the context being the same or the context being none.

Should be


	/*
	 * Do not relabel the file if the matching specification is
	 * <<none>> or the file is already labeled according to the
	 * specification.
	 */
	if ((strcmp(newcon, "<<none>>") == 0) ||
	    (context && (strcmp(context, newcon) == 0)) {
		freecon(context);
		goto out;
	}


I will provide a patch and update.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgtdmgACgkQrlYvE4MpobOtqgCgq0rDD7Be3h4Vb5hJDrvMebsf
6bAAoKaeIQqTknhhKaZHRehxsLQU4i0u
=0LXA
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list