View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005660CMakeCMakepublic2007-09-06 04:242016-06-10 14:30
ReporterDavid Thompson 
Assigned ToBrad King 
PrioritynormalSeverityfeatureReproducibilityalways
StatusclosedResolutionmoved 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0005660: INSTALL command should provide way to set ACL/SELinux context
DescriptionThis is a feature request. CMake should provide a way to set SELinux security contexts on targets (and other files) when they are INSTALLed (at a minimum... perhaps this should be part of the FILE command as well?).

With SELinux enabled and enforcing, libraries built with the MODULE keyword -- and *all* of their dependent shared libraries -- should have a context of "system_u:object_r:lib_t" set with the chcon program. Otherwise, programs won't be able to load the plugin with dlopen. This behavior has been witnessed with mysqld on Fedora Core 6.

It seems like this should be part of the INSTALL( ... ) command, either as a default value for library targets or as an option like
   INSTALL( TARGETS somePlugin
     RUNTIME DESTINATION bin
     LIBRARY DESTINATION lib
     ARCHIVE DESTINATION lib
     CONTEXT "system_u:object_r:lib_t"
   )
It would be ignored on systems where it makes no sense and would make life significantly easier on systems with selinux, ACLs, etc. The exact definition of the string passed after the CONTEXT keyword might vary from platform to platform.
Additional InformationAlan Irwin notes this workaround:
I think you need to try the CODE or SCRIPT signature of INSTALL. Those signatures are quite powerful and should allow you to create or process files any way you want for the install tree.

This is indeed possible but does require finding the chcon binary, obtaining the full filename and path for the target in its installed location, and calling EXEC_PROGRAM inside INSTALL( CODE ... ).
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0030503)
Brad King (manager)
2012-08-13 10:36

Sending issues I'm not actively working on to the backlog to await someone with time for them.

If an issue you care about is sent to the backlog when you feel it should have been addressed in a different manner, please bring it up on the CMake mailing list for discussion. Sign up for the mailing list here, if you're not already on it:

 http://www.cmake.org/mailman/listinfo/cmake [^]

It's easy to re-activate a bug here if you can find a CMake developer or contributor who has the bandwidth to take it on.
(0041382)
Kitware Robot (administrator)
2016-06-10 14:27

Resolving issue as `moved`.

This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page.

- Issue History
Date Modified Username Field Change
2007-09-06 04:24 David Thompson New Issue
2007-10-12 10:03 Bill Hoffman Status new => assigned
2007-10-12 10:03 Bill Hoffman Assigned To => Brad King
2012-08-13 10:36 Brad King Status assigned => backlog
2012-08-13 10:36 Brad King Note Added: 0030503
2016-06-10 14:27 Kitware Robot Note Added: 0041382
2016-06-10 14:27 Kitware Robot Status backlog => resolved
2016-06-10 14:27 Kitware Robot Resolution open => moved
2016-06-10 14:30 Kitware Robot Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker