If you are maintinaing of developing a Fedora Package.
Simo Sorce
ssorce at redhat.com
Wed Oct 17 12:47:30 UTC 2007
On Wed, 2007-10-17 at 13:11 +0200, Adam Tkac wrote:
> On Mon, Oct 15, 2007 at 11:31:17PM +0200, Karel Zak wrote:
> > Couldn't be better to maintain default selinux labels like others
> > file attributes?
> >
> > %attr(4755,root,root) %selinux(foo_t) /bin/foo
> >
>
> I think restorecon is fare more better than this approach. With this you have two databases of file contexts - first is in specfile and second in selinux-policy*. When you use restorecon you have one centralised database. We will discuss if rpm will automaticaly run restorecon on all installed files.
Not only that, but a new policy may well change some labels to fix
errors, and make the package content obsolete. And even dangerous if the
package maintainer forgets to update it and on a yum update you get back
the old broken label.
Simo.
More information about the fedora-devel-list
mailing list