Bug#685992: debian-policy: Document in the policy the way to properly set selinux labels on files and directories
Laurent Bigonville <bigon@debian.org> writes:
> On selinux enabled machine, when an initscript is creating a directory
> or a file it might end up not having the correct selinux label on disk.
> If the service is protected by selinux this will result in the service
> not working at all or having some weird behaviour.
> The proper way to fix the selinux file context is to call restorecon on
> the file/directory. Some initscripts in the archives are already
> implementing this alongside setting up the correct permissions (udev,
> rpcbind,...):
> [ -x /sbin/restorecon ] && /sbin/restorecon "$MYFILE"
Does this also apply to other places that directories are created outside
of dpkg, such as by maintainer scripts? Or is it specific to init
scripts?
Where is restorecon getting the correct information from? It looks like
it's not necessary to pass in any label information, so presumably there's
some database somewhere that has that information. Is any action
necessary to set up that database in the first place?
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: