On Wed, 17 Oct 2007, Simo Sorce wrote:
On Wed, 2007-10-17 at 13:11 +0200, Adam Tkac wrote:
On Mon, Oct 15, 2007 at 11:31:17PM +0200, Karel Zak wrote:
Couldn't be better to maintain default selinux labels like others
file attributes?
%attr(4755,root,root) %selinux(foo_t) /bin/foo
I think restorecon is fare more better than this approach. With this
you have two databases of file contexts - first is in specfile and
second in selinux-policy*. When you use restorecon you have one
centralised database. We will discuss if rpm will automaticaly run
restorecon on all installed files.
Not only that, but a new policy may well change some labels to fix
errors, and make the package content obsolete. And even dangerous if the
package maintainer forgets to update it and on a yum update you get back
the old broken label.
Amen. If the labels were universally set in stone, it might make sense to
store into rpm but as they can and do vary between policy versions,
different policies and local custom policies... RPM is not the place to
strore the labels, period.
RPM simply queries the active SELinux policy via libselinux to set labels
on files and directories on install and that works just fine except for
per-package policies (https://bugzilla.redhat.com/show_bug.cgi?id=185434).
Helping that case somehow is one thing, but stuffing the labels into
packages is not the fix.
- Panu -
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
