On Mar 21, 2007, at 9:37 AM, Valery Reznic wrote:
--- Jeff Johnson <n3npq.jbj@xxxxxxxxx> wrote:
The idea of attaching a file context statically to a
path in a *.rpm
is naive.
You mind there is no such information in the *.rpm ?
It's not up to me to dictate what is in a *.rpm, so I don't "mind".
What is b0rken is that SELinux policy does not have a reasonable
concept of a release, but rather has a policy-of-the-day with
regressions
and changes and incompatibilities and more. Without a reasonable concept
of a release, its impossible to shrink wrap SELinux policy packaging,
in *.rpm or otherwise.
And rpm just use current SELinux policy to set files'
contents during install ?
rpm is responsible for doing a lsetfilecon() for each installed path,
as well as permitting libselinux to change the security labels of
exec'd scripts.
If yes, what are FILECONTEXTS/FSCONTEXTS/RECONTEXTS
tags about ?
The tags exist so that 3 (possible) sources of file contexts can be
accessed through rpm. The 3 sources are
1) file contexts from packaging
2) file contexts from the file system
3) file contexts from SELinux regex configuration
AFAIK, only 3) is ever used to set file contexts, and the information
comes from SELinux configuration, not from packages.
73 de Jeff
_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/rpm-list
