-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/30/2010 04:56 AM, Paul Howarth wrote: > On 30/11/10 08:38, Toshio Kuratomi wrote: >> On Tue, Nov 30, 2010 at 03:11:43AM -0500, Akira TAGOH wrote: >>> | 2) The act of installing the rpm should create the necessary directories. >>> | Alternately, the program (or as you say, the init script) can create the >>> | necessary directories. Note that I don't believe that systemd gives you the >>> | flexibility to do that sort of thing (there's no "script" in its init stuff) >>> | so you'd need a wrapper script for the program itself or write a patch to >>> | the program itself to achieve this where the program doesn't create the >>> | directory already and if we don't do this from within the rpm payload. >>> >>> To get this working on SELinux, are we presuming that restorecond is running on the system or does the package maintainer need to take care of running restorecon manually in the script or the program? >>> >> I thought lennart mentioned something about selinux and tmpfiles.d defined >> directories but I could be misremembering. > > Files/directories created as a result of tmpfiles.d entries will have > the correct SELinux contexts. > > Files/directories created by an initscript will probably need to have > restorecon run on them to set the correct context (which of course can > be done in the initscript). > > Files/directories created at startup by a daemon may or may not have the > correct SELinux contexts depending on whether the necessary transition > rules are in the policy. If they're not set correctly, it would be a > good idea to raise a bug on selinux-policy to address that. > > Paul. Yes As we see them we are fixing them. setroubleshoot had a fix go in yesterday, one to create the directory if it does not exist and secondly selinux policy was modified to create the directrory with the correct context. I is usually better to have the daemon create the directory then to rely on tmpfiles.d to create it, and then we can have SELinux do the right thing. I think we should not ghost the directories in the spec file but allow rpm to create them with the correct context, as long as rpm -qV works correctly when the directory is recreated. If we have to ghost the directories and people create the directories in the post install, they will need to run restorecon on the directory mkdir /var/run/FOOBAR restorecon /var/run/FOOBAR -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz1CXoACgkQrlYvE4MpobNNmACgisyDwIbbYt9BbNAiJR/owSEM dhEAnjIgAND6XaDiWI47+tb+f/YVZAXJ =pMkT -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel