selinux + livecd-creator, May 20, 2008

Daniel J Walsh dwalsh at redhat.com
Wed May 21 14:06:35 UTC 2008 

Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:43 -0400, Daniel J Walsh wrote:
>> Jeremy Katz wrote:
>>> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
>>>> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
>>>>> Making use of the wonderful new deferred selinux context patch set from
>>>>> the kernel I get beautiful message like:
>>>>>
>>>>> /sbin/restorecon reset /sbin/dump context
>>>>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0
>>>>>
>>>>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the
>>>>> host machine.  Since restorecon/fixfiles runs over the same files like 3
>>>>> times during a livecd creation this gets rather annoying.  Do we have an
>>>>> interface I could use to make restorecon do the right comparison here?
>>>> Well, could we instead avoid running restorecon/fixfiles multiple times
>>>> on the same files?  And ideally just get rpm to label the files
>>>> correctly in the first place since that is why we added the kernel
>>>> patch?
>>> FWIW, we do a final pass with restorecon/fixfiles at the end of creating
>>> the files just so that we can ensure that any files that were created as
>>> the result of a %post script or anything else which doesn't transition
>>> correctly (... perhaps because the policy doesn't know it needs to) ends
>>> up with the right final label.  This is pretty confined to just the
>>> livecd-creator case, though.
>>>
>>> Jeremy
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Can we use fixfiles restore instead of restorecon.  It will output a
>> little "*" for every 10,000 files it relabels and we don't need to see
>> thousands of useless restorecon lines.
> 
> Isn't that just the same as calling restorecon with -p rather than -v?
> 
I believe fixfiles restore only labels file systems that support labels
while restorecon -R -v /  Will walk all file systems.  so fixfiles might
be a little faster.

        /usr/bin/find "$FILEPATH" \
            ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune  -o
-print0 | \
            ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >>
$LOGFILE

More information about the fedora-selinux-list mailing list