<font face="courier new,monospace"><br style="font-family: courier new,monospace;"></font><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">On Mon, Sep 19, 2011 at 4:01 PM, Fulko Hew <<a href="mailto:fulko.hew@gmail.com">fulko.hew@gmail.com</a>> wrote:</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">> On Mon, Sep 19, 2011 at 3:32 PM, Eric Paris <<a href="mailto:eparis@redhat.com">eparis@redhat.com</a>> wrote:</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">>> On Mon, 2011-09-19 at 14:49 -0400, Fulko Hew wrote:</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">>></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">>>> If so... why use chcon versus the semanage/restorecon technique?</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">>>> or if my assesement is wrong... can someone point me to a better</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">>>> explanation/tutorial?</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">> ... snip ...</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">>> So semanage+restorecon == will last, chcon == will likely get blown away</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">>> and make you angry later.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">></span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">> Thanks for confirming that for me.</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Sorry to take a long time for a further followup...</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">I made the changes to my RPM spec file, and it works, but...</span><br>
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">The processing sure takes a long time...<br>Whereas 'installing'</span><span style="font-family: courier new,monospace;"> the files is a quick procedure (seconds),<br>
my subsequent selinux commands</span><span style="font-family: courier new,monospace;"> take _minutes_ to process.<br><br>Surely the other packages can't be using this combo of commands</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">inside their spec files to handle selinux mode/attribute setting</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">during installation (because they don't take this long to install).</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">There has to be a better way/faster way.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">What I have right now is:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then # if it exists and can be run</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> setsebool -P httpd_can_network_connect=1 # then enable this ability</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> setsebool -P httpd_enable_cgi=1 # this one should normally be on... </span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">fi # but force it because _we_ need it!</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">if semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nia/scripts/.*" 2>/dev/null; then</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"> restorecon -v /var/www/html/nia/scripts/* 2>/dev/null</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">fi</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">if semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/nia/tmp" 2>/dev/null; then</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> restorecon -v /var/www/html/nia/tmp 2>/dev/null</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">fi</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> # needed for RHEL 5.6 & GraphViz access to the fonts<br></span><span style="font-family: courier new,monospace;">if semanage fcontext -a -t httpd_sys_content_t "/var/cache/fontconfig/.*" 2>/dev/null; then<br>
</span><span style="font-family: courier new,monospace;"> restorecon -v /var/cache/fontconfig/* 2>/dev/null</span><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">fi</span><br style="font-family: courier new,monospace;">