restorecon vs. setfiles
Gary Peck
gbpeck at sbcglobal.net
Fri Jun 25 16:34:15 UTC 2004
> >matchpathcon takes a pathname and optional file mode as input
> >parameters for matching against the file contexts configuration. It
> >doesn't attempt to stat the file itself to obtain the mode because it
> >is sometimes used by programs that are creating new files (e.g. udev)
> >and want to know the context for the file they are about to create,
> >so it requires the caller to provide the mode. restorecon currently
> >passes 0 as the mode, so no mode matching is performed.
> >
> >So this is a bug in restorecon; it needs to be changed to stat the
> >file and provide the mode.
Looks like a similar bug might be present in rpm, or at least the end
result is similar. Whenever I install new RPM's from Rawhide, *.so*
files get installed with object_r:lib_t context. If I run
"/sbin/fixfiles restore" right afterward, they get relabeled back to
object_r:shlib_t. Either rpm has an old policy version on the Rawhide
build machines, or it's not labeling files correctly.
Also, the dev package in Rawhide comes with all files labeled as
object_r:device_t. After running fixfiles, some of those get relabeled
to the correct object_r:fixed_disk_device_t, object_r:tty_device_t,
object_r:sound_device_t, etc. dev should have the correct contexts to
begin with. Various files in /usr/sbin also don't have the correct
contexts as shipped in the RPM's.
This is all with selinux-policy-targeted-1.13.8-1,
policycoreutils-1.13.3-2, and rpm-4.3.2-0.4.
Gary
More information about the fedora-selinux-list
mailing list