Hello List.
I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm.
On an upgrade, old httpd_sys_content_t files are not being updated to public_content_rw_t because httpd_sys_content_t is in the customizable_types file.
According to the fixfiles man page, -F should "Force reset of context to match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something?
Is there a recommended way to do that?
Moray. "To err is human. To purr, feline"
On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote:
Hello List.
I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm.
On an upgrade, old httpd_sys_content_t files are not being updated to public_content_rw_t because httpd_sys_content_t is in the customizable_types file.
According to the fixfiles man page, -F should "Force reset of context to match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something?
Is there a recommended way to do that?
Moray. "To err is human. To purr, feline"
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fix fixfiles and send a patch. :^(
Daniel wrote:
On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote:
Hello List.
I have an rpm for an selinux policy for a custom CentOS 5.3 distribution.
When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm.
On an upgrade, old httpd_sys_content_t files are not being updated to
public_content_rw_t because httpd_sys_content_t is in the customizable_types file.
According to the fixfiles man page, -F should "Force reset of context to
match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something?
Is there a recommended way to do that?
Moray. "To err is human. To purr, feline"
Fix fixfiles and send a patch. :^(
Sorry for delay - I was at a training course, then recovering from the cold I caught at the training course...
I am working on fixing the fixfiles script, but it looks more complicated than I thought, as I'm also trying to bring the usage info and man page into line with how the script actually behaves.
As far as I can see, the "-o outputfile" option has never worked: it just adds the name of the output file to the restorecon or setfiles commands without the -o option to say that it's an output option. In addition, it won't work at all with the verify command because that uses its own -o option.
I would therefore vote for removing -o from fixfiles altogether, but if you really want it there and working, I'll see what I can do. Let me know what you think.
In addition to fixfiles, I have also documented the -p option to both restorecon and setfiles, and brought their usage info and man pages into line.
Moray. "To err is human. To purr, feline"
On 10/20/2009 10:14 AM, Moray Henderson (ICT) wrote:
Daniel wrote:
On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote:
Hello List.
I have an rpm for an selinux policy for a custom CentOS 5.3 distribution.
When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm.
On an upgrade, old httpd_sys_content_t files are not being updated to
public_content_rw_t because httpd_sys_content_t is in the customizable_types file.
According to the fixfiles man page, -F should "Force reset of context to
match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something?
Is there a recommended way to do that?
Moray. "To err is human. To purr, feline"
Fix fixfiles and send a patch. :^(
Sorry for delay - I was at a training course, then recovering from the cold I caught at the training course...
I am working on fixing the fixfiles script, but it looks more complicated than I thought, as I'm also trying to bring the usage info and man page into line with how the script actually behaves.
As far as I can see, the "-o outputfile" option has never worked: it just adds the name of the output file to the restorecon or setfiles commands without the -o option to say that it's an output option. In addition, it won't work at all with the verify command because that uses its own -o option.
I would therefore vote for removing -o from fixfiles altogether, but if you really want it there and working, I'll see what I can do. Let me know what you think.
In addition to fixfiles, I have also documented the -p option to both restorecon and setfiles, and brought their usage info and man pages into line.
Moray. "To err is human. To purr, feline"
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have no problem with removing the -o option. I don't think anyone uses it.
Hi Daniel,
Here are my patches for fixfiles and the documentation.
The restorecon & setfiles patches are simple: document the -p option and bring usage and man pages into line.
The fixfiles patch: - enables -F with -C - removes -o option - corrects "[-F] relabel" in man page - brings man page and usage into line with script behaviour
It is still possible to combine fixfiles options that don't make sense together, such as -R with relabel, or -R with -C, but at least the right combinations are in the documentation.
These patches were made against policycoreutils-1.33.12-14.2.el5.src.rpm, but most of the fixes are still valid against the fc11 version.
I hope you like them ;-)
Moray. "To err is human. To purr, feline"
On 10/21/2009 11:54 AM, Moray Henderson (ICT) wrote:
Hi Daniel,
Here are my patches for fixfiles and the documentation.
The restorecon & setfiles patches are simple: document the -p option and bring usage and man pages into line.
The fixfiles patch:
- enables -F with -C
- removes -o option
- corrects "[-F] relabel" in man page
- brings man page and usage into line with script behaviour
It is still possible to combine fixfiles options that don't make sense together, such as -R with relabel, or -R with -C, but at least the right combinations are in the documentation.
These patches were made against policycoreutils-1.33.12-14.2.el5.src.rpm, but most of the fixes are still valid against the fc11 version.
I hope you like them ;-)
Moray. "To err is human. To purr, feline"
I have applied your packages to the Fedora 12 policycoreutils package and will send them upstream. These fixes will be in RHEL6 and we are investigating getting them into RHEL5.5
Thank you.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Moray Henderson (ICT)