[CC'd the selinux development list so that the developers are aware of these issues]

On Thu, 2007-05-10 at 16:50 +0200, Till Maas wrote:
> On Do Mai 10 2007, Karl MacMillan wrote:
>
> > When selinux is turned on again a full relabel of the filesystem is done
> > to correct these problems. If the custom file context wasn't added to
> > the database of file contexts (via a module or semanage) the file is set
> > to the default label.
>
> So will chcon in a scriptlet work, when an rpm is installed while selinux is
> not active?
>

Unfortunately it won't - does semanage / semodule work in this instance (it probably should so that users can turn selinux back on after disabling and doing package management).

> > Not sure what you mean - you should be able to run semanage in a post.
> > Perhaps you should also need to do chcon (as opposed to restorecon)
> > because the command may not have run before the file was created.
>
> When I tested semanage, the problem occured, how to update the labels with
> semanage. E.g. when the regex is changed that desribes, which files should be
> labeled in a certain way. And when one wants to remove the old labels when
> uninstalling the package. E.g
>
> version 1 of the package:
>
> %post
> semanage add RULE1
> %postun
> semanage remove RULE1
>
> As far as I understand rpm, when updating the release of version 1, first
> semanage add RULE1 from release two runs from %post and then
> semanage remove RULE1 from release one. This effectivly removes the rule from
> the /etc/selinux, because identical rules seem not be added more than once
> to /etc/selinux. When I restrict the %postun only to complete removals of the
> package,

Which seems like the right answer.

> than when one changes the RULES, e.g. in a version 2:
>
> %post
> semanage add RULE2
> %postun
> semanage remove RULE2
>
> then RULE1 will not be removed (it is not the final remove). Then every
> release has to include "semanage remove RULE1" in "%post" maybe forever. I
> hope you understand the problem I try to describe, because I did not really
> use the correct selinux-terms.
>

Seems like there are two cases:

1. The context changes but the file spec stays the same - blindly adding should always work here (it will overwrite the old file context).
2. The file spec changes (doesn't matter if the context changes) - you will have to carry around the removal in the post forever.

> I would be happy, if I am wrong with this. But if this problem is not solvable
> with semanage, imho semanage is not a good way to add selinux support to a
> package.
>

Maybe - we can make changes as necessary to make it usable.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.