[Rpm-maint] [PATCH 12/19] Determine how policy should be installed based on SELinux state
Steve Lawrence
slawrence at tresys.com
Fri Feb 12 20:37:02 UTC 2010
On Fri, 2010-02-05 at 12:39 -0500, James Antill wrote:
> On Tue, 2010-02-02 at 15:25 -0500, Steve Lawrence wrote:
> > The state of SELinux on a system changes how we install policy during
> > the rpm transaction. For example, if the /etc/selinux directory structure
> > hasn't been created, we can't install policy until a package creates the
> > directory. This patch adds a function (rpmtsInitSELinux) which performs
> > initialization and determines the state of SELinux on the system and what
> > actions should be taken to install policy.
> [...]
> > + /* initialize matchpathcon */
> > + if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
> > + if (matchpathcon_init(selinux_file_context_path()) == -1) {
> > + rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
> > + }
> > + }
> [...]
> > - char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
> > - if (matchpathcon_init(fn) == -1) {
> > - rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
> > - }
> > - _free(fn);
> [...]
> > + if (rpmtsInitSELinux(ts) != RPMRC_OK) {
> > + return -1;
>
> How is this the same? Is %_install_file_context_path always the same as
> the default path?
It isn't the same. The ?_install_file_context_path macro is only
evaluated once, and then that path is used anytime the macro is used.
However, it is possible that the policy could change during a
transaction, which means the macro would be wrong. The function
selinux_file_context_path() will always return the correct path.
> [...]
> > +#if WITH_SELINUX
> > + /* load policy and relabel files if policy was postponed */
>
> Can this bit be merged with the init code?
>
I don't think this should be a problem.
More information about the Rpm-maint
mailing list