[Pkg-sysvinit-devel] Bug#626725: initscripts: Needs to set SELinux labels for /run
Martin Orr
martin at martinorr.name
Mon May 16 11:45:31 UTC 2011
On Sun 15 May 15:08:29 2011, Roger Leigh wrote:
> On Sun, May 15, 2011 at 01:41:41PM +0100, Roger Leigh wrote:
>> On Sat, May 14, 2011 at 06:44:29PM +0100, Martin Orr wrote:
>> > Directories and symlinks created as part of the /run transition are not
>> > labelled for SELinux. The effect is that most services fail to start on
>> > boot after transitioning to /run.
>> >
>> > You need to run restorecon after creating a directory or symbolic link
>> > in an init script or maintainer script. Attached patch does this.
>> >
>> > /run with SELinux also requires the refpolicy patch I have submitted in
>> > #626720. Once that is fixed, initscripts should probably have
>> > Breaks: selinux-policy-default (<< $FIXEDVERSION)
>>
>> Hi Martin,
>>
>> Is it safe to apply the patch /before/ refpolicy is updated or would
>> this break anything? Or is the Breaks: essential?
>>
>> I could apply the patch today and then add the Breaks once refpolicy
>> is updated. Or I could wait until refpolicy is updated and do both
>> then.
>
> If it is safe to apply now, this is my proposed patch (same as yours
> with one conflict fixed):
Things are badly broken until both this patch and the refpolicy one
are applied so there is no harm by applying this patch right away. In
fact, given that the effect is a near-unbootable system it may be
worth adding an unversioned Breaks: selinux-policy-default until
refpolicy is updated.
--
Martin Orr
More information about the Pkg-sysvinit-devel
mailing list