Making Fedora a contributer friendly environment
Stephen Smalley
sds at tycho.nsa.gov
Thu May 10 16:27:10 UTC 2007
On Thu, 2007-05-10 at 11:49 -0400, Karl MacMillan wrote:
> [CC'd the selinux development list so that the developers are aware of
> these issues]
>
> On Thu, 2007-05-10 at 16:50 +0200, Till Maas wrote:
> > On Do Mai 10 2007, Karl MacMillan wrote:
> >
> > > When selinux is turned on again a full relabel of the filesystem is done
> > > to correct these problems. If the custom file context wasn't added to
> > > the database of file contexts (via a module or semanage) the file is set
> > > to the default label.
> >
> > So will chcon in a scriptlet work, when an rpm is installed while selinux is
> > not active?
> >
>
> Unfortunately it won't - does semanage / semodule work in this instance
> (it probably should so that users can turn selinux back on after
> disabling and doing package management).
semodule works with selinux disabled (it won't load the resulting policy
naturally, but it manipulates the policy store and regenerates the
policy files appropriately, so they would be used when selinux is next
enabled, and a relabel would happen at that time). semanage has some
dependencies on libselinux (e.g. is_selinux_mls_enabled,
security_check_context) that should be converted to using libsemanage or
libsepol interfaces, and then there is the separate issue of the context
translation support.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list