How to properly upgrade policy
Tom London
selinux at comcast.net
Fri Jun 25 16:26:33 UTC 2004
These are VERY nice changes, automating what I've been doing manually.
An observation: the package 'install' process has gotten much better
with file
contexts.
Any thoughts on automating the assignment of file contexts to the
files created by package scripts (e.g., /boot/grub/grub.conf, depmod files,
/etc/selinux/config, ...)? Would be nice to have a 'SELinux package
description' that describes the package's desired/default contexts. That
would allow inspection prior to install, tools to check consistency with
installed file_contexts, etc. 'rpm -q --filecontext' is almost
it. Any way to add the other stuff to it, or something like it?
tom
[Sorry if this is old hat....]
Dan Walsh wrote:
> Setfiles and restorecon have a new qualifier (-o filename) which will
> record the file paths of any files that the tools find with the
> incorrect security context. So if you run setfiles -n -v -o
> /tmp/badfilecontexts, you would have a report and a file with all the
> paths of files with bad file contexts. If everything looks ok, you
> could run restorecon -f /tmp/badfilecontexts and clean them up quickly.
More information about the selinux
mailing list