[DSE-Dev] debian-policy: Document in the policy the way to properly set selinux labels on files and directories
Laurent Bigonville
bigon at debian.org
Thu May 1 16:02:20 UTC 2014
Hello,
OK, let's try to draft some text then, I'm not really sure in which
section this should go, 10.9 (Permissions and owners) maybe?
Packagers should ensure that the files or directories they are
creating have the proper SELinux file context set to them.
dpkg is already taking care of setting the proper SELinux context for
the files and directories owned by the package. Setting the SELinux
file context manually is, in most case, only needed when a file or
directory is created or moved on the filesystem outside of dpkg by a
maintainer or init script for example.
Such script should not hardcode any SELinux file context but should
query the active SELinux policy to determine the proper file context
instead.
A maintainer script can for example call the restorecon(8) executable
to achieve this:
[ -x /sbin/restorecon ] && /sbin/restorecon $myfile
This is the first time I'm drafting a policy change, so comments
welcome :)
Cheers,
Laurent Bigonville
More information about the SELinux-devel
mailing list