livecd-creator + selinux

Daniel J Walsh dwalsh at redhat.com
Fri May 16 11:58:27 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
| On Thu, 2008-05-15 at 17:20 -0400, Eric Paris wrote:
|> On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
|>> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
|>>> #4 At the end of the rpm transaction when everything is installed it
|>>> calls restorecon and I get one for (I assume) every file almost all of
|>>> which look like:
|>>>
|>>> /sbin/restorecon reset /srv context
system_u:object_r:var_t:s0->system_u:object_r:var_t:s0
|>>>
|>>> Notice nothing changed?  Again I assume its my hack of a /selinux which
|>>> causes it and I'll try to run down why, but maybe someone else sees
that
|>>> quickly.
|>> That suggests it is being called with the -f (force) flag from
|>> e.g. /sbin/fixfiles.  selinux-policy.spec does a
|>> 	fixfiles -C file_contexts.pre restore
|>>
|>> fixfiles -C does a diff between the old and new file contexts
|>> configurations and applies restorecon to the result. There is some
|>> serious magic in there, and it is all Dan's fault ;)
|> ok, in the livecd-creator kickstart.py I see
|>
|>         if os.path.exists(self.path("/sbin/restorecon")):
|>             self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F",
"-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
|>
|> So there is our -F.  Is there a way to get it to fix "user" without
|> getting it to fix "things that aren't wrong"
|
| I think we should change setfiles/restorecon to just not do that even
| with -F.  IIRC, changing it to always invoke setfilecon even if the
| contexts were the same was motivated by the problem we used to have
| where the in-core label and the on-disk xattr could get out of sync.
|
| Patch below.  Note that restorecon is just a link to setfiles that
| presents a different default user interface and behaviors (ever since I
| coalesced them).
|
| Index: policycoreutils/setfiles/setfiles.c
| ===================================================================
| --- policycoreutils/setfiles/setfiles.c	(revision 2879)
| +++ policycoreutils/setfiles/setfiles.c	(working copy)
| @@ -495,7 +495,7 @@
|  	 * specification.
|  	 */
|  	if ((strcmp(newcon, "<<none>>") == 0) ||
| -	    (context && (strcmp(context, newcon) == 0) && !force)) {
| +	    (context && (strcmp(context, newcon) == 0))) {
|  		freecon(context);
|  		goto out;
|  	}
|
|
Same patch almost simultaneous, it must be right.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgtduMACgkQrlYvE4MpobMn1gCg341q6CJQ2yDq7JPCcYVJn9ZQ
/fcAn3I/rokQZcqP/S/ilO4fLFkTsRNB
=ioXI
-----END PGP SIGNATURE-----

More information about the selinux mailing list