[DSE-Dev] Bug#685992: debian-policy: Document in the policy the way to properly set selinux labels on files and directories
Laurent Bigonville
bigon at debian.org
Mon Aug 27 11:26:50 UTC 2012
Package: debian-policy
Severity: wishlist
Hi,
On selinux enabled machine, when an initscript is creating a directory
or a file it might end up not having the correct selinux label on disk.
If the service is protected by selinux this will result in the service
not working at all or having some weird behaviour.
The proper way to fix the selinux file context is to call restorecon on
the file/directory. Some initscripts in the archives are already
implementing this alongside setting up the correct permissions (udev,
rpcbind,...):
[ -x /sbin/restorecon ] && /sbin/restorecon "$MYFILE"
Some people wanted this (see bug #678719) to be explicitly documented in
the policy before implementing it in their initscript.
Could you please consider documenting this in the policy.
Cheers
Laurent Bigonville
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.4-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the SELinux-devel
mailing list