Bug#685992: debian-policy: Document in the policy the way to properly set selinux labels on files and directories

[Laurent Bigonville <bigon@debian.org>]

Le Thu, 1 May 2014 09:55:09 -0700,
Jonathan Nieder <jrnieder@gmail.com> a écrit :

> Hi,

Hello,
 
> Laurent Bigonville wrote:
> 
> >   A maintainer script can for example call the restorecon(8)
> > executable to achieve this:
> >     [ -x /sbin/restorecon ] && /sbin/restorecon $myfile
> 
> Should I do this for all files I create in maintainer scripts, or only
> those that someone who knows things :) has told me need it?
> 
> Likewise, at runtime should I be doing this for files I create, or
> only for some subset of files?

Well the answer here is, it depends.

If the file is immediately created in its final location the file
context should be OK in 95% of the cases as a file inherits the label
from its parent directory. If the file is moved in the process (ie. the
file is created/built in /tmp and then moved), the context will be for
sure wrong.

The context is behaving more or less like the unix permissions, if the
file is moved the context is not changed, if the file is copied, then
the context will be changed to the one of the parent directory (or to
make the things even more complex to an other context if a named
transition is used in the policy).

I proposed in the example to use restorecon as it's available in the
archive today, but there are other way to set the proper context. For
example, the new mv command from coreutils 8.22 has a -Z flag which is
also taking care of that, see:
https://danwalsh.livejournal.com/67751.html

Cheers,

Laurent Bigonville

> 
> Curious,
> Jonathan