On Mon, Jun 28, 2004 at 02:53:52PM -0400, Stephen Smalley wrote:
> On Mon, 2004-06-28 at 09:11, Panu Matilainen wrote:
> > I wouldn't call it an apt-problem, you just need to put it into same
> > context as rpm. This should already be the case on Fedora Core 2, dunno
> > about upstream selinux policy packages - this is from stock FC2
> > /etc/security/selinux/src/policy/file_contexts/program/rpm.fc:
> > /usr/bin/apt-get -- system_u:object_r:rpm_exec_t
> > /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
> > /usr/bin/synaptic -- system_u:object_r:rpm_exec_t
The context is not the problem. I'm running the targeted policy from
FCdev, which makes both /bin/rpm and /usr/bin/apt*
system_u:object_r:bin_t. rpm works fine, however, whereas apt-get does
not.
> It isn't just a policy issue; rpm had to be modified for SELinux to
> set file security contexts when creating files. Those changes are in
> the upstream rpm, and yum seems to work as expected when updating.
I believe apt needs similar modifications. The attached patch to apt
fixes the problem for me. I'm not too familiar with rpm, apt, or selinux
internals, so this patch might need some work. I just took the code
from rpm's lib/rpminstall.c/rpmInstall() function which seemed to be
missing in apt's apt-pkg/rpm/rpmpm.cc/pkgRPMLibPM::Process() function.
Before the patch, running "apt-get install --reinstall zlib" produced
this result:
# rpm -q --fscontext zlib
/usr/lib/libz.so.1 root:object_r:lib_t
/usr/lib/libz.so.1.2.1.1 root:object_r:lib_t
/usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t
/usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t
After the patch, running "apt-get install --reinstall zlib" produced
this result:
# rpm -q --fscontext zlib
/usr/lib/libz.so.1 system_u:object_r:lib_t
/usr/lib/libz.so.1.2.1.1 system_u:object_r:shlib_t
/usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t
/usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t
The correct result, according to rpm, is the second one:
# rpm -q --recontext zlib
/usr/lib/libz.so.1 system_u:object_r:lib_t
/usr/lib/libz.so.1.2.1.1 system_u:object_r:shlib_t
/usr/share/doc/zlib-1.2.1.1 system_u:object_r:usr_t
/usr/share/doc/zlib-1.2.1.1/README system_u:object_r:usr_t
gary
--- apt-0.5.15cnc6/apt-pkg/rpm/rpmpm.cc.selinux 2004-06-28 17:30:52.996194951 -0400
+++ apt-0.5.15cnc6/apt-pkg/rpm/rpmpm.cc 2004-06-28 17:45:12.394104099 -0400
@@ -778,6 +778,21 @@
TS = rpmtransCreateSet(DB, Dir.c_str());
#endif
+#if RPM_VERSION >= 0x040300
+ if (!(tsFlags & RPMTRANS_FLAG_NOCONTEXTS)) {
+ rpmsx sx = rpmtsREContext(TS);
+ if (sx == NULL) {
+ const char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
+ if (fn != NULL && *fn != '\0') {
+ sx = rpmsxNew(fn);
+ (void) rpmtsSetREContext(TS, sx);
+ }
+ fn = (const char *) _free(fn);
+ }
+ sx = rpmsxFree(sx);
+ }
+#endif
+
if (_config->FindB("RPM::OldPackage", true) || !upgrade.empty()) {
probFilter |= RPMPROB_FILTER_OLDPACKAGE;
}
@@ -921,6 +936,10 @@
Opts->Value == "--excludeconfigs")
*tsFlags |= RPMTRANS_FLAG_NOCONFIGS;
#endif
+#if RPM_VERSION >= 0x040300
+ else if (Opts->Value == "--nocontexts")
+ *tsFlags |= RPMTRANS_FLAG_NOCONTEXTS;
+#endif
// Problem filter flags
else if (Opts->Value == "--replacefiles")
