rawhide install troubles

[Daniel J Walsh]

Jeremy Katz wrote:

>On Thu, 2004-01-29 at 17:06 -0500, Karl MacMillan wrote:
>  
>
>>On Thu, 2004-01-29 at 16:38, Jeremy Katz wrote:
>>    
>>
>>>On Thu, 2004-01-29 at 16:26 -0500, Karl MacMillan wrote:
>>>      
>>>
>>>>On Thu, 2004-01-29 at 16:15, Jeremy Katz wrote:
>>>>        
>>>>
>>>>>On Thu, 2004-01-29 at 01:14 -0800, Gary Peck wrote:
>>>>>          
>>>>>
>>>>>>- the SELinux policy package doesn't get pulled in by anything when
>>>>>>  doing an upgrade. maybe something can depend on it? or maybe this
>>>>>>  should just go in the "unsupported" category.
>>>>>>            
>>>>>>
>>>>>This is a good thing, IMHO.  Enabling it on an upgrade is going to
>>>>>require some manual changes and thus I don't think that it should get
>>>>>pulled in on an upgrade.
>>>>>          
>>>>>
>>>>What kind of manual changes do you mean? Building the policy,
>>>>relabeling, loading the policy?
>>>>        
>>>>
>>>Relabeling mostly.  You won't be able to do that in a single step
>>>because running in a 2.4 kernel, security xattrs won't be able to be set
>>>on files.
>>>      
>>>
>>You mean a 2.4 kernel without SELinux support I assume. At some point in
>>the past I thought that you could set the security labels even on
>>non-SELinux kernels. If you can't any upgrading /installing of rpms will
>>be a problem because I thought rpm was setting the labels directly. 
>>    
>>
>
>Which is most 2.4 kernels :-)   To set the labels, you have to be
>running a kernel with EA support and that knows about the security
>xattrs.  Most 2.4 kernels don't have this.  No 2.4 kernel used for
>Fedora has.
>
>  
>
>>Additionally, what is the planned mechanism for updating the policy for
>>a specific application? Assuming that policy is bundled in the rpm with
>>the package, if the policy changes in a way that requires relabeling
>>will rpm set the labels on the files owned by that rpm? 
>>    
>>
>
>Yes, the contexts for the files are stored in the header data for the
>package and rpm sets the context right after the uncpio in the fsm.
>
>  
>
>>What about files
>>labeled as a result of type transition rules? I think that these are
>>some hard problems and I'm interested how they are being handled.
>>    
>>
>
>  
>
Files that get created via type transition will get labeled via rpm if 
they are provided via RPM, other files are going to get initial context 
via anaconda, if the files do not exist they will get labels either via 
default labeling or through type transition.  We don't have all the 
answers yet and hope to work out problems like initially labeling of 
home directories with the community.  We also need to continue to 
develop the policy to handle unlabeled file systems.  (IE you don't want 
to require uses with terabytes of files to attempt labeling their file 
system.)  Some of the changes being made to the kernel to allow labeling 
an entire filesystem at mount time, should be able to address these issues.

>I might be missing something here -- labeling on files doesn't change on
>type transitions, afaik. 
>
>Cheers,
>
>Jeremy
>
>
>  
>