1 |
On Tue, 25 Nov 2014 10:22:44 -0800 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> From: Sven Vermeulen <sven.vermeulen@××××××.be> |
5 |
> |
6 |
> When Portage relabels the files of the package, it currently calls |
7 |
> setfiles (which is correct) but does not use the -F option (force). |
8 |
> As a result, the files only get assigned the right SELinux type, but |
9 |
> not the right SELinux user and SELinux role. |
10 |
> |
11 |
> By using "setfiles -F", the SELinux user (and role, but role almost |
12 |
> always remains "object_r") is set to the right one (system_u mostly). |
13 |
> |
14 |
> Without this, a multi-user system with different SELinux users and |
15 |
> with User Based Access Control (UBAC) enabled (the local "ubac" USE |
16 |
> flag) might find that some software fails to work for different |
17 |
> SELinux users than the one used to install the software, until a full |
18 |
> forced relabel operation is done. |
19 |
> |
20 |
> X-Gentoo-Bug: 530192 |
21 |
> X-Gentoo-Url: https://bugs.gentoo.org/show_bug.cgi?id=530192 |
22 |
> --- |
23 |
> bin/misc-functions.sh | 2 +- |
24 |
> 1 file changed, 1 insertion(+), 1 deletion(-) |
25 |
> |
26 |
> diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh |
27 |
> index 6e6fcb4..8d5df78 100755 |
28 |
> --- a/bin/misc-functions.sh |
29 |
> +++ b/bin/misc-functions.sh |
30 |
> @@ -392,7 +392,7 @@ preinst_selinux_labels() { |
31 |
> addwrite /selinux/context |
32 |
> addwrite /sys/fs/selinux/context |
33 |
> |
34 |
> - /usr/sbin/setfiles |
35 |
> "${file_contexts_path}" -r "${D}" "${D}" |
36 |
> + /usr/sbin/setfiles -F |
37 |
> "${file_contexts_path}" -r "${D}" "${D}" ) || die "Failed to set |
38 |
> SELinux security labels." else |
39 |
> # nonfatal, since merging can happen outside |
40 |
> a SE kernel |
41 |
|
42 |
It's fine with me if you fine with it. I just thought you would have |
43 |
acked it in the bug. |
44 |
|
45 |
-- |
46 |
Brian Dolbec <dolsen> |