Re: We need a tool to extract the file context contents out of a policy package.

[Joshua Brindle <jbrindle@tresys.com>]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> If we had this we could do something like
>>>
>>> fixfiles -P mypolicy.pp
>>>
>>> And it would restorecon over the file context.
>>
>> the file contexts in any given package doesn't represent the file 
>> contexts on the system. Further, you'll lose the homedir and local 
>> entries (and if there are homedir entries present they'll lose their 
>> precedence)
>>
>> what is the problem you are trying to solve? I think we can do this a 
>> better way.
> If I install a package I need a way of relabeling the files that are 
> being installed.  Currently when the policy package gets updated, it 
> does a diff between previous file_context and new file_context and then 
> runs a restorecon on the diff.  We currently ignore homedirs.  Moving to 
> modules, we need similar capabilities.  Relabeling the entire system 
> ever time you update a policy module is not going to work.     The 
> current method is not full proof, but it has been fairly effective over 
> the last couple of years.
> 

We can add diffing/restorecon functionality to semanage. I don't know if 
it is fair to assume that one modules file_contexts won't interact in 
unexpected ways with other modules and base file_contexts so we should 
probably always handle the file_contexts in their entirety and never alone.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.