genhomedircon flakyness
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Apr 12 20:16:40 UTC 2005
On Tue, 12 Apr 2005 15:04:20 EDT, Stephen Smalley said:
> No, you don't want to pull in the locally customized users into the
> source tree or policy build; they are incorporated into the policy load
> automatically via sepol_genusers(3) by load_policy and /sbin/init.
OK...
> Hmm..we specifically disabled checking of file_contexts.homedirs by the
> setfiles -c validation performed by the policy Makefile, but then added
> it back again to genhomedircon for runtime updates. But that makes no
> sense, as the binary policy file doesn't have the user identities. Mea
> culpa. Option are 1) strip the setfiles -c validation from
> genhomedircon, or 2) have genhomedircon build a temporary binary policy
> file via genpolusers that includes the full set of user identities and
> apply setfiles -c using that file.
Well.. assuming (hah!) that the current policy load has the right user list
in it (i.e. that seuser or similar tools have kept things up to date), there's
no real reason for the -c in "normal production" use.
Do we ever need to run genhomedircon against a non-loaded policy (major
upgrades like FC3->FC4 where we're booted of a CD, or an RPM upgrade of
one of the SELinux tools where we need to get ducks lined up in an RPM
pre/post scriptlet)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050412/284df6f2/attachment.bin
More information about the selinux
mailing list