3:46 a.m.
Hi,
we are going to drop file_contexts.bin from selinux-policy-targeted package.
file_contexts.bin file is regenerated by sefcontext_compile utility every time
policy is rebuilt, e.g. during update, after semodule -B, ... and this file
contains pre compiled pcre regexes from file_contexts.
We added this file to selinux-policy-targeted in order to prevent problems such
were [1] [2] but it causes another problems like [3]
Since systemd should be already fixed, it seems to be safe to drop it again and
let it create during post install phase. So we are going to drop it from
Rawhide and I think it could be dropped from Fedora 27 as well.
I've prepared COPR selinux-policy build [4] without this file. It would be
great if someone could test it in some Live image.
With few simple step you can also test how userspace works without *.bin files
on a local system:
1. remove .bin files from /etc/selinux/targeted/contexts/files/
# rm /etc/selinux/targeted/contexts/files/*bin
2. add/change /etc/selinux/semanage.conf so it contains:
[sefcontext_compile]
path = /bin/true
[end]
3. update selinux-policy{,-targeted} from [4]
4. test it - reboot, relabel, run a desktop session, ...
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1314372
[2] https://github.com/systemd/systemd/pull/2508#issuecomment-188235477
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1502009
[4] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-policy/build/656...
Thanks,
Petr
3:59 a.m.
New subject: [HEADS-UP] droping file_contexts.bin from
selinux-policy-targeted package
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 2017-11-01 at 09:46 +0100, Petr Lautrbach wrote:
Hi,
we are going to drop file_contexts.bin from selinux-policy-targeted
package.
file_contexts.bin file is regenerated by sefcontext_compile utility
every time
policy is rebuilt, e.g. during update, after semodule -B, ... and
this file
contains pre compiled pcre regexes from file_contexts.
We added this file to selinux-policy-targeted in order to prevent
problems such
were [1] [2] but it causes another problems like [3]
Since systemd should be already fixed, it seems to be safe to drop it
again and
let it create during post install phase. So we are going to drop it
from
Rawhide and I think it could be dropped from Fedora 27 as well.
Am I right that
this file will be created on installation? Then you
should use %ghost to mark it belonging to some package.
I've prepared COPR selinux-policy build [4] without this file. It
would be
great if someone could test it in some Live image.
With few simple step you can also test how userspace works without
*.bin files
on a local system:
1. remove .bin files from /etc/selinux/targeted/contexts/files/
# rm /etc/selinux/targeted/contexts/files/*bin
2. add/change /etc/selinux/semanage.conf so it contains:
[sefcontext_compile]
path = /bin/true
[end]
3. update selinux-policy{,-targeted} from [4]
4. test it - reboot, relabel, run a desktop session, ...
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1314372
[2] https://github.com/systemd/systemd/pull/2508#issuecomment-1882354
77
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1502009
[4] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-policy/b
uild/656330/
Thanks,
Petr
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
- --
- -Igor Gnatenko
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEhLFO09aHZVqO+CM6aVcUvRu8X0wFAln5jPEACgkQaVcUvRu8
X0yy9w//Z8GDqWhQOJoWL7UeP3OO+8s1i5NbUSw0cLsZroccy9A5yTvX+3tSOP1i
oxE0XWQFPF81nefbDAXdpxWqhVtVigQMpvgXKI3yss46Xnk4zts/Avbsti1ctvFB
KUPFl/nrwUTXF/sTkLSiz6RFWURL/fRrfBrsFhfEzDyp8wwEfpDb6Jh0ago0lgfD
2UZsLacRezy5XU38w4C9kJRlm/C4HpuNb/aiE3ciz8hlvtMwUbCCf5cQo7BqugMq
50/e/tbcMzsBh5Ynav0wgEvLhNSR3WO2T8h7T7b4uFbKAph65A0LzHJqXDscDX4q
GdNWjLEcKgMcpkvullVmJN+KbT/Sa3zEZO9ZFedd+0VHgP1ZLLzZPtc+7bTXN0uy
rRFplppfs8NiMyLRHkyl35C6Z8lykWAh8o3zdV4XIeIzMrCt3sqmF6Fq3z6r6YGn
xxz8t5jjJh+uUrcSbw9N2ojnwZkR6oWmTOiCEvUbOBk73xxnV2oNgbvzwoW+1CAI
mLCQQ//WhpuaEiupdk2wR5zXeeIOqZ6VXeYH6UWxn5Q1xa4aUljbI8C5s6Yqsf3a
cSULw83wz9keIXpjzg39mOxTHcLJJFHKI+lnPn4X7M2PjrTDvaNHbs40pYGzCfX1
Fy9VPtZPKSm4Uqp62YyCTH7wvNsfT4dWy1ZXCkxHTgzaNwEOeMs=
=emsS
-----END PGP SIGNATURE-----
10:14 a.m.
New subject: [HEADS-UP] droping file_contexts.bin from
selinux-policy-targeted package
On Wed, Nov 01, 2017 at 09:59:29AM +0100, Igor Gnatenko wrote:
On Wed, 2017-11-01 at 09:46 +0100, Petr Lautrbach wrote:
> Hi,
>
> we are going to drop file_contexts.bin from selinux-policy-targeted
> package.
>
> file_contexts.bin file is regenerated by sefcontext_compile utility
> every time
> policy is rebuilt, e.g. during update, after semodule -B, ... and
> this file
> contains pre compiled pcre regexes from file_contexts.
>
> We added this file to selinux-policy-targeted in order to prevent
> problems such
> were [1] [2] but it causes another problems like [3]
>
> Since systemd should be already fixed, it seems to be safe to drop it
> again and
> let it create during post install phase. So we are going to drop it
> from
> Rawhide and I think it could be dropped from Fedora 27 as well.
Am I right that this file will be created on installation? Then you
should use %ghost to mark it belonging to some package.
Yes, this is the plan.
https://src.fedoraproject.org/fork/plautrba/rpms/selinux-policy/c/dba350c...
If you want to see the changes see
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/3
Thanks,
Petr
> >
> > I've prepared COPR selinux-policy build [4] without this file. It
> > would be
> > great if someone could test it in some Live image.
> >
> > With few simple step you can also test how userspace works without
> > *.bin files
> > on a local system:
> >
> > 1. remove .bin files from /etc/selinux/targeted/contexts/files/
> >
> > # rm /etc/selinux/targeted/contexts/files/*bin
> >
> > 2. add/change /etc/selinux/semanage.conf so it contains:
> >
> > [sefcontext_compile]
> > path = /bin/true
> > [end]
> >
> > 3. update selinux-policy{,-targeted} from [4]
> >
> > 4. test it - reboot, relabel, run a desktop session, ...
> >
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1314372
> > [2] https://github.com/systemd/systemd/pull/2508#issuecomment-1882354
> > 77
> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1502009
> >
> > [4] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-policy/b
> > uild/656330/
> >
> > Thanks,
> >
> > Petr
> >
> > _______________________________________________
> > devel mailing list -- devel(a)lists.fedoraproject.org
> > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
>
> --
> -Igor Gnatenko
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
2368
days inactive
2368
days old
2 comments
2 participants
participants (2)
-
Igor Gnatenko -
Petr Lautrbach