FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 06-17-2008, 09:22 PM
Jason L Tibbitts III
 
Default chcon in %post

I just came across a package that does this:

%post
/usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :

rpmlint complains bitterly about it, and honestly I'm really not sure
what's supposed to happen here. This is a ghc-compiled binary. (ghc
is a Haskell compiler.)

So, if you have a binary in a package that really needs this context,
is running chcon in %post the right way to do it?

- J<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-17-2008, 09:52 PM
Eric Paris
 
Default chcon in %post

On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote:
> I just came across a package that does this:
>
> %post
> /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :
>
> rpmlint complains bitterly about it, and honestly I'm really not sure
> what's supposed to happen here. This is a ghc-compiled binary. (ghc
> is a Haskell compiler.)
>
> So, if you have a binary in a package that really needs this context,
> is running chcon in %post the right way to do it?

I'd suggest getting the filecontext into policy so that RPM lays it down
that way. And no chcon is not the right way (reverted on system
relabel). use semanage fcontext -a and then restorecon if you cannot
for some reason push the correct context upstream into policy.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-23-2008, 01:04 PM
Daniel J Walsh
 
Default chcon in %post

Eric Paris wrote:
> On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote:
>> I just came across a package that does this:
>>
>> %post
>> /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :
>>
>> rpmlint complains bitterly about it, and honestly I'm really not sure
>> what's supposed to happen here. This is a ghc-compiled binary. (ghc
>> is a Haskell compiler.)
>>
>> So, if you have a binary in a package that really needs this context,
>> is running chcon in %post the right way to do it?
>
> I'd suggest getting the filecontext into policy so that RPM lays it down
> that way. And no chcon is not the right way (reverted on system
> relabel). use semanage fcontext -a and then restorecon if you cannot
> for some reason push the correct context upstream into policy.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I just fixed a bugzilla to label all the Haskell apps as
unconfined_execmem_exec_t until haskell is fixed.

We need a better way to handle apps that need execmem in policy for non
unconfined_t users.

Currently we have mono, java, wine, unconfined_execmem_exec_t, all
basically giving the same privs

usertype +execmem.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org