Bug#685992: debian-policy: Document in the policy the way to properly set selinux labels on files and directories
Le Mon, 27 Aug 2012 08:18:52 -0700,
Russ Allbery <rra@debian.org> a écrit :
> Laurent Bigonville <bigon@debian.org> writes:
>
> > On selinux enabled machine, when an initscript is creating a
> > directory or a file it might end up not having the correct selinux
> > label on disk. If the service is protected by selinux this will
> > result in the service not working at all or having some weird
> > behaviour.
>
> > The proper way to fix the selinux file context is to call
> > restorecon on the file/directory. Some initscripts in the archives
> > are already implementing this alongside setting up the correct
> > permissions (udev, rpcbind,...):
>
> > [ -x /sbin/restorecon ] && /sbin/restorecon "$MYFILE"
>
> Does this also apply to other places that directories are created
> outside of dpkg, such as by maintainer scripts? Or is it specific to
> init scripts?
I'm not 100% sure about this one. I've found an old mail from Russell
(around 2004) talking about using restorecon inside maintainer scripts.
So yes, IMHO this also applies to files and directories created in them
too. Russell could you confirm this?
> Where is restorecon getting the correct information from? It looks
> like it's not necessary to pass in any label information, so
> presumably there's some database somewhere that has that
> information. Is any action necessary to set up that database in the
> first place?
Restorecon is taking the correct context information from the selinux
policy (src:refpolicy) itself. On every selinux enabled machine you
will have such policy installed and loaded at boot time.
Cheers
Laurent Bigonville
Reply to: