-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Eric Paris wrote: | On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote: |> On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote: |>> #4 At the end of the rpm transaction when everything is installed it |>> calls restorecon and I get one for (I assume) every file almost all of |>> which look like: |>> |>> /sbin/restorecon reset /srv context system_u:object_r:var_t:s0->system_u:object_r:var_t:s0 |>> |>> Notice nothing changed? Again I assume its my hack of a /selinux which |>> causes it and I'll try to run down why, but maybe someone else sees that |>> quickly. |> That suggests it is being called with the -f (force) flag from |> e.g. /sbin/fixfiles. selinux-policy.spec does a |> fixfiles -C file_contexts.pre restore |> |> fixfiles -C does a diff between the old and new file contexts |> configurations and applies restorecon to the result. There is some |> serious magic in there, and it is all Dan's fault ;) | | ok, in the livecd-creator kickstart.py I see | | if os.path.exists(self.path("/sbin/restorecon")): | self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) | | So there is our -F. Is there a way to get it to fix "user" without | getting it to fix "things that aren't wrong" | | -Eric | Remove the -v
Although this looks wrong and makes no sense in restorecon/setfiles.
/* * Do not relabel the file if the matching specification is * <<none>> or the file is already labeled according to the * specification. */ if ((strcmp(newcon, "<<none>>") == 0) || (context && (strcmp(context, newcon) == 0) && !force)) { freecon(context); goto out; }
The !force check should be removed. It makes no send to relabel in the case of the context being the same or the context being none.
Should be
/* * Do not relabel the file if the matching specification is * <<none>> or the file is already labeled according to the * specification. */ if ((strcmp(newcon, "<<none>>") == 0) || (context && (strcmp(context, newcon) == 0)) { freecon(context); goto out; }
I will provide a patch and update.