On Sat, 26 Jun 2004, Gary Peck wrote: > On Sat, Jun 26, 2004 at 05:12:34PM -0700, Gary Peck wrote: > > Could this be an issue with apt? I'm actually using apt-get to install > > these packages. When I tried using "rpm -Uvh ..." directly, it seemed to > > set the contexts correctly as you say. However, when I did it with > > apt-get again, I saw the same problem. Here's some files from the > > mozilla package with their correct contexts: > > > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libappcomps.so > > system_u:object_r:shlib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > > > Then I run "apt-get install mozilla", which upgrades mozilla from > > 1.7-0.3.1 to 1.7-0.3.2. Afterwards, these same files (but from the new > > version of mozilla) have the following contexts: > > > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaccessibility.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libaddrbook.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libappcomps.so > > root:object_r:lib_t /usr/lib/mozilla-1.7/components/libautoconfig.so > > > > I assumed that apt's behaviour should be the same since it's just using > > rpm underneath, but maybe there's extra rpm API calls that need to be > > made by apt when it's running on a SELinux system? > > > > This is with apt-0.5.15cnc6-0.fdr.11.2, rpm-4.3.2-0.4. > > Ok, I'm pretty sure it's an apt problem now. I tried installing the same > package twice, once with apt using the rpm API directly (apt-get install > ...), and once with apt calling the rpm binary externally (apt-get -o > RPM::PM="external" install ...). When using the API, I see the same > problem as above. When calling the rpm binary, the contexts get set > correctly. > > I've CC'ed the apt-rpm list as it's probably a more appropriate place > for this discussion. Anyone there care to comment? I wouldn't call it an apt-problem, you just need to put it into same context as rpm. This should already be the case on Fedora Core 2, dunno about upstream selinux policy packages - this is from stock FC2 /etc/security/selinux/src/policy/file_contexts/program/rpm.fc: /usr/bin/apt-get -- system_u:object_r:rpm_exec_t /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t /usr/bin/synaptic -- system_u:object_r:rpm_exec_t - Panu -
