selinux + livecd-creator, May 20, 2008

Daniel J Walsh dwalsh at redhat.com
Tue May 20 19:43:07 UTC 2008


Jeremy Katz wrote:
> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
>> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
>>> Making use of the wonderful new deferred selinux context patch set from
>>> the kernel I get beautiful message like:
>>>
>>> /sbin/restorecon reset /sbin/dump context
>>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0
>>>
>>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the
>>> host machine.  Since restorecon/fixfiles runs over the same files like 3
>>> times during a livecd creation this gets rather annoying.  Do we have an
>>> interface I could use to make restorecon do the right comparison here?
>> Well, could we instead avoid running restorecon/fixfiles multiple times
>> on the same files?  And ideally just get rpm to label the files
>> correctly in the first place since that is why we added the kernel
>> patch?
> 
> FWIW, we do a final pass with restorecon/fixfiles at the end of creating
> the files just so that we can ensure that any files that were created as
> the result of a %post script or anything else which doesn't transition
> correctly (... perhaps because the policy doesn't know it needs to) ends
> up with the right final label.  This is pretty confined to just the
> livecd-creator case, though.
> 
> Jeremy
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Can we use fixfiles restore instead of restorecon.  It will output a
little "*" for every 10,000 files it relabels and we don't need to see
thousands of useless restorecon lines.





More information about the fedora-selinux-list mailing list