[DSE-Dev] SELinux release goals for Debian Jessie ?
Laurent Bigonville
bigon at debian.org
Thu Oct 3 13:24:57 UTC 2013
Le 3 Oct 2013 11:40:47 +0200,
"Andreas Kuckartz" <a.kuckartz at ping.de> a écrit :
> Laurent Bigonville:
> > Good question, I still want to make enter the policy that, if a
> > package is creating a file/directory in initscript or in a
> > maintainer script, it ensures (read call restorecon) that the
> > context on disk is correct.
> >
> > I've opened a bug about this (#685992) a while back, but never
> > committed to make this happen. I guess that when/if this is
> > happening, there will be some package that will need fixes. This
> > could be a good selinux release goal I guess, even if it might be
> > difficult to mesure the progression.
>
> I have mentioned that here:
> https://wiki.debian.org/ReleaseGoals/SELinux
>
> But are there no better alternatives than calling restorecon? The main
> use of that command is to "correct errors" (as the man page says).
> Wouldn't it be better to avoid those errors by correcting the
> scripts ?
That would requires changes in the repolicy (for the files created by
initscripts) and some changes to dpkg code (I'm not even sure that this
could be achieve that way) for the files installed by maintainer
scripts.
So here restorecon call is a correct way of doing things, even if it's
maybe not the best. There are actually several initscript that are
doing this ATM.
> Are we aware of packages with such errors? So far I only know about
> this one, because it is blocking #685992 :
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687306
There is also #678719
Cheers
Laurent Bigonville
More information about the SELinux-devel
mailing list