Re: dpkg and selinux
On Tue, 7 Sep 2004 22:39, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > This is already catered for. The only move which could lose the SE Linux
> > context is one that crosses file systems. This doesn't work for package
> > installation anyway (imagine if /bin/bash or /usr/bin/perl was being
> > replaced and half way through copying over the new file there was a power
> > failure).
>
> so... if i have /usr, /var, / and /boot on separate partitions, and move
> files around, is the selinux context lost or kept?
It's kept by default with the modified coreutils. Other programs that perform
similar functions to mv will operate differently.
> > > 2) the linux kernel could be "prepped" by the functions in libselinux
> > > such that the correct file contexts be applied at move time (i
> > > think!)
> >
> > No kernel changes.
>
> [i mean by using libselinux1 in standard way]
Yes, we can make dpkg call functions in libselinux1.
> > > well, under most circumstances, i believe that can be catered for
> > > (with /etc/init.d/xfs creating /tmp/.font-unix being a notable
> > > exception).
> >
> > test -s /sbin/restorecon && /sbin/restorecon /tmp/.font-unix
>
> (in /etc/init.d/xfs i've used if [ -x /sbin/restorecon ]; then /sbin....
> but hey it's all the same)
Yes. Now we just need to get that into the init script. Please file an
appropriate bug report requesting that either method be used.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: