[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: If you are maintinaing of developing a Fedora Package.

On Wed, 17 Oct 2007, Simo Sorce wrote:

On Wed, 2007-10-17 at 13:11 +0200, Adam Tkac wrote:
On Mon, Oct 15, 2007 at 11:31:17PM +0200, Karel Zak wrote:
 Couldn't be better to maintain default selinux labels like others
 file attributes?

     %attr(4755,root,root) %selinux(foo_t)  /bin/foo

I think restorecon is fare more better than this approach. With this you have two databases of file contexts - first is in specfile and second in selinux-policy*. When you use restorecon you have one centralised database. We will discuss if rpm will automaticaly run restorecon on all installed files.

Not only that, but a new policy may well change some labels to fix
errors, and make the package content obsolete. And even dangerous if the
package maintainer forgets to update it and on a yum update you get back
the old broken label.

Amen. If the labels were universally set in stone, it might make sense to
store into rpm but as they can and do vary between policy versions,
different policies and local custom policies... RPM is not the place to
strore the labels, period.

RPM simply queries the active SELinux policy via libselinux to set labels on files and directories on install and that works just fine except for per-package policies (https://bugzilla.redhat.com/show_bug.cgi?id=185434). Helping that case somehow is one thing, but stuffing the labels into packages is not the fix.

	- Panu -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]