1 |
From: Sven Vermeulen <sven.vermeulen@××××××.be> |
2 |
|
3 |
When Portage relabels the files of the package, it currently calls |
4 |
setfiles (which is correct) but does not use the -F option (force). As a |
5 |
result, the files only get assigned the right SELinux type, but not the |
6 |
right SELinux user and SELinux role. |
7 |
|
8 |
By using "setfiles -F", the SELinux user (and role, but role almost |
9 |
always remains "object_r") is set to the right one (system_u mostly). |
10 |
|
11 |
Without this, a multi-user system with different SELinux users and with |
12 |
User Based Access Control (UBAC) enabled (the local "ubac" USE flag) |
13 |
might find that some software fails to work for different SELinux users |
14 |
than the one used to install the software, until a full forced relabel |
15 |
operation is done. |
16 |
|
17 |
X-Gentoo-Bug: 530192 |
18 |
X-Gentoo-Url: https://bugs.gentoo.org/show_bug.cgi?id=530192 |
19 |
--- |
20 |
bin/misc-functions.sh | 2 +- |
21 |
1 file changed, 1 insertion(+), 1 deletion(-) |
22 |
|
23 |
diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh |
24 |
index 6e6fcb4..8d5df78 100755 |
25 |
--- a/bin/misc-functions.sh |
26 |
+++ b/bin/misc-functions.sh |
27 |
@@ -392,7 +392,7 @@ preinst_selinux_labels() { |
28 |
addwrite /selinux/context |
29 |
addwrite /sys/fs/selinux/context |
30 |
|
31 |
- /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}" |
32 |
+ /usr/sbin/setfiles -F "${file_contexts_path}" -r "${D}" "${D}" |
33 |
) || die "Failed to set SELinux security labels." |
34 |
else |
35 |
# nonfatal, since merging can happen outside a SE kernel |
36 |
-- |
37 |
2.0.4 |