Le Thu, 1 May 2014 09:55:09 -0700, Jonathan Nieder <[email protected]> a écrit :
> Hi, Hello, > Laurent Bigonville wrote: > > > A maintainer script can for example call the restorecon(8) > > executable to achieve this: > > [ -x /sbin/restorecon ] && /sbin/restorecon $myfile > > Should I do this for all files I create in maintainer scripts, or only > those that someone who knows things :) has told me need it? > > Likewise, at runtime should I be doing this for files I create, or > only for some subset of files? Well the answer here is, it depends. If the file is immediately created in its final location the file context should be OK in 95% of the cases as a file inherits the label from its parent directory. If the file is moved in the process (ie. the file is created/built in /tmp and then moved), the context will be for sure wrong. The context is behaving more or less like the unix permissions, if the file is moved the context is not changed, if the file is copied, then the context will be changed to the one of the parent directory (or to make the things even more complex to an other context if a named transition is used in the policy). I proposed in the example to use restorecon as it's available in the archive today, but there are other way to set the proper context. For example, the new mv command from coreutils 8.22 has a -Z flag which is also taking care of that, see: https://danwalsh.livejournal.com/67751.html Cheers, Laurent Bigonville > > Curious, > Jonathan _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
