Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-portage-dev

From: Brian Dolbec <dolsen@g.o>
To: gentoo-portage-dev@l.g.o
Subject: Re: [gentoo-portage-dev] [PATCH] Force the SELinux user during relabel operation (530192)
Date: Tue, 25 Nov 2014 20:25:21
Message-Id: 20141125122503.7bcb57c4.dolsen@gentoo.org
In Reply to: [gentoo-portage-dev] [PATCH] Force the SELinux user during relabel operation (530192) by Zac Medico
1 On Tue, 25 Nov 2014 10:22:44 -0800
2 Zac Medico <zmedico@g.o> wrote:
3
4 > From: Sven Vermeulen <sven.vermeulen@××××××.be>
5 >
6 > When Portage relabels the files of the package, it currently calls
7 > setfiles (which is correct) but does not use the -F option (force).
8 > As a result, the files only get assigned the right SELinux type, but
9 > not the right SELinux user and SELinux role.
10 >
11 > By using "setfiles -F", the SELinux user (and role, but role almost
12 > always remains "object_r") is set to the right one (system_u mostly).
13 >
14 > Without this, a multi-user system with different SELinux users and
15 > with User Based Access Control (UBAC) enabled (the local "ubac" USE
16 > flag) might find that some software fails to work for different
17 > SELinux users than the one used to install the software, until a full
18 > forced relabel operation is done.
19 >
20 > X-Gentoo-Bug: 530192
21 > X-Gentoo-Url: https://bugs.gentoo.org/show_bug.cgi?id=530192
22 > ---
23 > bin/misc-functions.sh | 2 +-
24 > 1 file changed, 1 insertion(+), 1 deletion(-)
25 >
26 > diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh
27 > index 6e6fcb4..8d5df78 100755
28 > --- a/bin/misc-functions.sh
29 > +++ b/bin/misc-functions.sh
30 > @@ -392,7 +392,7 @@ preinst_selinux_labels() {
31 > addwrite /selinux/context
32 > addwrite /sys/fs/selinux/context
33 >
34 > - /usr/sbin/setfiles
35 > "${file_contexts_path}" -r "${D}" "${D}"
36 > + /usr/sbin/setfiles -F
37 > "${file_contexts_path}" -r "${D}" "${D}" ) || die "Failed to set
38 > SELinux security labels." else
39 > # nonfatal, since merging can happen outside
40 > a SE kernel
41
42 It's fine with me if you fine with it. I just thought you would have
43 acked it in the bug.
44
45 --
46 Brian Dolbec <dolsen>
Report Message
Find on MARC Find on Google Groups