| 1 |
From: Sven Vermeulen <sven.vermeulen@××××××.be> |
| 2 |
|
| 3 |
When Portage relabels the files of the package, it currently calls |
| 4 |
setfiles (which is correct) but does not use the -F option (force). As a |
| 5 |
result, the files only get assigned the right SELinux type, but not the |
| 6 |
right SELinux user and SELinux role. |
| 7 |
|
| 8 |
By using "setfiles -F", the SELinux user (and role, but role almost |
| 9 |
always remains "object_r") is set to the right one (system_u mostly). |
| 10 |
|
| 11 |
Without this, a multi-user system with different SELinux users and with |
| 12 |
User Based Access Control (UBAC) enabled (the local "ubac" USE flag) |
| 13 |
might find that some software fails to work for different SELinux users |
| 14 |
than the one used to install the software, until a full forced relabel |
| 15 |
operation is done. |
| 16 |
|
| 17 |
X-Gentoo-Bug: 530192 |
| 18 |
X-Gentoo-Url: https://bugs.gentoo.org/show_bug.cgi?id=530192 |
| 19 |
--- |
| 20 |
bin/misc-functions.sh | 2 +- |
| 21 |
1 file changed, 1 insertion(+), 1 deletion(-) |
| 22 |
|
| 23 |
diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh |
| 24 |
index 6e6fcb4..8d5df78 100755 |
| 25 |
--- a/bin/misc-functions.sh |
| 26 |
+++ b/bin/misc-functions.sh |
| 27 |
@@ -392,7 +392,7 @@ preinst_selinux_labels() { |
| 28 |
addwrite /selinux/context |
| 29 |
addwrite /sys/fs/selinux/context |
| 30 |
|
| 31 |
- /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}" |
| 32 |
+ /usr/sbin/setfiles -F "${file_contexts_path}" -r "${D}" "${D}" |
| 33 |
) || die "Failed to set SELinux security labels." |
| 34 |
else |
| 35 |
# nonfatal, since merging can happen outside a SE kernel |
| 36 |
-- |
| 37 |
2.0.4 |
Archives