| 1 |
On Thu, Aug 21, 2014 at 06:46:37PM +0000, Sven Vermeulen wrote: |
| 2 |
> On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote: |
| 3 |
> > > Something like so (which we can do in the selinux-policy-2.eclass): |
| 4 |
> > > |
| 5 |
> > > pkg_postinst() { |
| 6 |
> > > # Find all packages with this package in their RDEPEND |
| 7 |
> > > PKGSET=$(equery -q depends ${CATEGORY}/${PN}) |
| 8 |
> > > for PKG in ${PKGSET}; |
| 9 |
> > > do |
| 10 |
> > > rlpkg ${PKG}; |
| 11 |
|
| 12 |
I tested it just now and its working fine for me :) |
| 13 |
|
| 14 |
rlpkg can take many packages on the commandline at once which is easier |
| 15 |
and likely faster than a for loop. |
| 16 |
I replaced the loop with: |
| 17 |
if [ x"${PKGSET}" != "x" ]; then |
| 18 |
rlpkg ${PKGSET}; |
| 19 |
fi |
| 20 |
|
| 21 |
We may also want to grep -v "sec-policy/selinux-", they all depend on |
| 22 |
base-policy so it has a lot of relabelling which is probably not needed. |
| 23 |
|
| 24 |
Also, I noticed some parts of the eclass use "if [" and some use "if [[", |
| 25 |
being more consistent would probably be good. |
| 26 |
|
| 27 |
> > > done |
| 28 |
> > > } |
| 29 |
> > |
| 30 |
> > This looks like it would work apart from the optional equery. What about |
| 31 |
> > if the user does not want something relabelled after updating if they |
| 32 |
> > have special circumstances? We might want a way to say don't touch this |
| 33 |
> > package I'll do it myself. Alternatively the user would just have to set |
| 34 |
> > it in semange fcontext and it'll be fine. |
| 35 |
> |
| 36 |
> Do you have a specific situation in mind? As far as I see, the relabeling is |
| 37 |
> an almost mandatory step (even right now). What users can (and should) do if |
| 38 |
> they don't want the default labels is to define their own labels and policy, |
| 39 |
> and in those cases the relabeling operation (by rlpkg) will be correct |
| 40 |
> anyway (as it uses the SELinux context definitions on the system). |
| 41 |
|
| 42 |
Yeah it was mostly theoretical. I think its reasonable to say that a |
| 43 |
user needs to use semanage fcontext instead of chcon. chcon would be |
| 44 |
fine for temporary things or things not managed by portage (eg /home). |
| 45 |
|
| 46 |
-- Jason |
Archives