On Thu, Aug 21, 2014 at 06:46:37PM +0000, Sven Vermeulen wrote: > On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote: > > > Something like so (which we can do in the selinux-policy-2.eclass): > > > > > > pkg_postinst() { > > > # Find all packages with this package in their RDEPEND > > > PKGSET=$(equery -q depends ${CATEGORY}/${PN}) > > > for PKG in ${PKGSET}; > > > do > > > rlpkg ${PKG};
I tested it just now and its working fine for me :) rlpkg can take many packages on the commandline at once which is easier and likely faster than a for loop. I replaced the loop with: if [ x"${PKGSET}" != "x" ]; then rlpkg ${PKGSET}; fi We may also want to grep -v "sec-policy/selinux-", they all depend on base-policy so it has a lot of relabelling which is probably not needed. Also, I noticed some parts of the eclass use "if [" and some use "if [[", being more consistent would probably be good. > > > done > > > } > > > > This looks like it would work apart from the optional equery. What about > > if the user does not want something relabelled after updating if they > > have special circumstances? We might want a way to say don't touch this > > package I'll do it myself. Alternatively the user would just have to set > > it in semange fcontext and it'll be fine. > > Do you have a specific situation in mind? As far as I see, the relabeling is > an almost mandatory step (even right now). What users can (and should) do if > they don't want the default labels is to define their own labels and policy, > and in those cases the relabeling operation (by rlpkg) will be correct > anyway (as it uses the SELinux context definitions on the system). Yeah it was mostly theoretical. I think its reasonable to say that a user needs to use semanage fcontext instead of chcon. chcon would be fine for temporary things or things not managed by portage (eg /home). -- Jason