[Rpm-maint] [PATCH 12/19] Determine how policy should be installed based on SELinux state

Steve Lawrence slawrence at tresys.com
Fri Feb 12 20:37:02 UTC 2010


On Fri, 2010-02-05 at 12:39 -0500, James Antill wrote:
> On Tue, 2010-02-02 at 15:25 -0500, Steve Lawrence wrote:
> > The state of SELinux on a system changes how we install policy during
> > the rpm transaction. For example, if the /etc/selinux directory structure
> > hasn't been created, we can't install policy until a package creates the
> > directory. This patch adds a function (rpmtsInitSELinux) which performs
> > initialization and determines the state of SELinux on the system and what
> > actions should be taken to install policy.
> [...]
> > +	/* initialize matchpathcon */
> > +	if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
> > +		if (matchpathcon_init(selinux_file_context_path()) == -1) {
> > +			rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
> > +		}
> > +	}
> [...]
> > -	char *fn = rpmGetPath("%{?_install_file_context_path}", NULL);
> > -	if (matchpathcon_init(fn) == -1) {
> > -	    rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
> > -	}
> > -	_free(fn);
> [...]
> > +    if (rpmtsInitSELinux(ts) != RPMRC_OK) {
> > +       return -1;
> 
>  How is this the same? Is %_install_file_context_path always the same as
> the default path?

It isn't the same. The ?_install_file_context_path macro is only
evaluated once, and then that path is used anytime the macro is used.
However, it is possible that the policy could change during a
transaction, which means the macro would be wrong. The function
selinux_file_context_path() will always return the correct path.

> [...]
> > +#if WITH_SELINUX
> > +    /* load policy and relabel files if policy was postponed */
> 
>  Can this bit be merged with the init code?
> 

I don't think this should be a problem.


More information about the Rpm-maint mailing list