As we develop SELinux we are adding new labels to homedir content

Daniel J Walsh dwalsh at redhat.com
Thu May 31 19:44:17 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have added file trans by name rules to policy to fix a lot of
files/directories being created with the correct label.

We have problems on Distribution updates (F16-F17) though, where there is a
files/directories in the homedir that are mislabeled.

We have "restorecond -u"  which we run in F15/F16 which examines the homedir
and fixes any files directories it finds mislabeled in ~.  If it finds a dir
which is mislabeled, it will relabel the directory and all of its children.
We have turned this tool off by default on the desktop in F17, because
filename transition rules are doing a pretty good job of maintaining the
labels in the homedir.  But this tool never did a great job of fixing
mislabeled subdirs, if the top level directory in the homedir was labeled
correctly.
You can enable this tool with /etc/xdg/autostart/restorecond.desktop

One possible fix to this would be to force a system relabel on everything on
upgrades, while this would fix the labels, it is considered to time consuming.
(restorecon -R -v / or touch /.autorelabel)

Another option would be to just relabel /home (# restorecon -R -v /home) at
upgrade time.  But this would also be time consuming. And would not catch the
cases where the homedir is not in /home.

A third option would be to run "restorecon -R -v $HOME" in background in an
profile script the first time you login on a new OS Version.  This would seem
to be the least time consuming, but could be subject to race conditions, you
hit the mislabeled file before the restorecon fixes it.  This would be better
then what we have now, in that everyone can hit the mislabeled file directory.

Final option would be to do nothing, which is what we are doing in F17, until
we get a bug reported and tell the user to run "restorecon -R -v /home"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HyhEACgkQrlYvE4MpobPilwCgx8rn5Yu+jlOm/kzTWf/3oLlT
8jEAoKavA8sEghVkc2sxVhuZIYHBMSXB
=wn44
-----END PGP SIGNATURE-----


More information about the devel mailing list