Re: If you are maintinaing of developing a Fedora Package.

[Panu Matilainen <pmatilai redhat com>]

On Wed, 17 Oct 2007, Simo Sorce wrote:

> On Wed, 2007-10-17 at 13:11 +0200, Adam Tkac wrote:
> > On Mon, Oct 15, 2007 at 11:31:17PM +0200, Karel Zak wrote:
> > >  Couldn't be better to maintain default selinux labels like others
> > >  file attributes?
> > >
> > >      %attr(4755,root,root) %selinux(foo_t)  /bin/foo
> >
> > I think restorecon is fare more better than this approach. With this 
> > you have two databases of file contexts - first is in specfile and 
> > second in selinux-policy*. When you use restorecon you have one 
> > centralised database. We will discuss if rpm will automaticaly run 
> > restorecon on all installed files.
>
> Not only that, but a new policy may well change some labels to fix
> errors, and make the package content obsolete. And even dangerous if the
> package maintainer forgets to update it and on a yum update you get back
> the old broken label.

Amen. If the labels were universally set in stone, it might make sense to
store into rpm but as they can and do vary between policy versions,
different policies and local custom policies... RPM is not the place to
strore the labels, period.

RPM simply queries the active SELinux policy via libselinux to set labels 
on files and directories on install and that works just fine except for 
per-package policies (https://bugzilla.redhat.com/show_bug.cgi?id=185434). 
Helping that case somehow is one thing, but stuffing the labels into 
packages is not the fix.

	- Panu -