On Thu, Aug 21, 2014 at 06:46:37PM +0000, Sven Vermeulen wrote:
> On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote:
> > > Something like so (which we can do in the selinux-policy-2.eclass):
> > >
> > > pkg_postinst() {
> > > # Find all packages with this package in their RDEPEND
> > > PKGSET=$(equery -q depends ${CATEGORY}/${PN})
> > > for PKG in ${PKGSET};
> > > do
> > > rlpkg ${PKG};
I tested it just now and its working fine for me :)
rlpkg can take many packages on the commandline at once which is easier
and likely faster than a for loop.
I replaced the loop with:
if [ x"${PKGSET}" != "x" ]; then
rlpkg ${PKGSET};
fi
We may also want to grep -v "sec-policy/selinux-", they all depend on
base-policy so it has a lot of relabelling which is probably not needed.
Also, I noticed some parts of the eclass use "if [" and some use "if [[",
being more consistent would probably be good.
> > > done
> > > }
> >
> > This looks like it would work apart from the optional equery. What about
> > if the user does not want something relabelled after updating if they
> > have special circumstances? We might want a way to say don't touch this
> > package I'll do it myself. Alternatively the user would just have to set
> > it in semange fcontext and it'll be fine.
>
> Do you have a specific situation in mind? As far as I see, the relabeling is
> an almost mandatory step (even right now). What users can (and should) do if
> they don't want the default labels is to define their own labels and policy,
> and in those cases the relabeling operation (by rlpkg) will be correct
> anyway (as it uses the SELinux context definitions on the system).
Yeah it was mostly theoretical. I think its reasonable to say that a
user needs to use semanage fcontext instead of chcon. chcon would be
fine for temporary things or things not managed by portage (eg /home).
-- Jason
