rawhide install troubles

Jeremy Katz katzj at redhat.com
Fri Jan 30 04:09:05 UTC 2004 

On Thu, 2004-01-29 at 17:06 -0500, Karl MacMillan wrote:
> On Thu, 2004-01-29 at 16:38, Jeremy Katz wrote:
> > On Thu, 2004-01-29 at 16:26 -0500, Karl MacMillan wrote:
> > > On Thu, 2004-01-29 at 16:15, Jeremy Katz wrote:
> > > > On Thu, 2004-01-29 at 01:14 -0800, Gary Peck wrote:
> > > > > - the SELinux policy package doesn't get pulled in by anything when
> > > > >   doing an upgrade. maybe something can depend on it? or maybe this
> > > > >   should just go in the "unsupported" category.
> > > > 
> > > > This is a good thing, IMHO.  Enabling it on an upgrade is going to
> > > > require some manual changes and thus I don't think that it should get
> > > > pulled in on an upgrade.
> > >
> > > What kind of manual changes do you mean? Building the policy,
> > > relabeling, loading the policy?
> > 
> > Relabeling mostly.  You won't be able to do that in a single step
> > because running in a 2.4 kernel, security xattrs won't be able to be set
> > on files.
> 
> You mean a 2.4 kernel without SELinux support I assume. At some point in
> the past I thought that you could set the security labels even on
> non-SELinux kernels. If you can't any upgrading /installing of rpms will
> be a problem because I thought rpm was setting the labels directly. 

Which is most 2.4 kernels :-)   To set the labels, you have to be
running a kernel with EA support and that knows about the security
xattrs.  Most 2.4 kernels don't have this.  No 2.4 kernel used for
Fedora has.

> Additionally, what is the planned mechanism for updating the policy for
> a specific application? Assuming that policy is bundled in the rpm with
> the package, if the policy changes in a way that requires relabeling
> will rpm set the labels on the files owned by that rpm? 

Yes, the contexts for the files are stored in the header data for the
package and rpm sets the context right after the uncpio in the fsm.

> What about files
> labeled as a result of type transition rules? I think that these are
> some hard problems and I'm interested how they are being handled.

I might be missing something here -- labeling on files doesn't change on
type transitions, afaik. 

Cheers,

Jeremy

More information about the fedora-devel-list mailing list