From 1642bd99af5440f527722370de09c3d046437adc Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sun, 23 Nov 2014 17:10:50 +0100
Subject: [PATCH 1/1] Force the SELinux user during relabel operation

When Portage relabels the files of the package, it currently calls
setfiles (which is correct) but does not use the -F option (force). As a
result, the files only get assigned the right SELinux type, but not the
right SELinux user and SELinux role.

By using "setfiles -F", the SELinux user (and role, but role almost
always remains "object_r") is set to the right one (system_u mostly).

Without this, a multi-user system with different SELinux users and with
User Based Access Control (UBAC) enabled (the local "ubac" USE flag)
might find that some software fails to work for different SELinux users
than the one used to install the software, until a full forced relabel
operation is done.

See also bug https://bugs.gentoo.org/show_bug.cgi?id=530192
---
 bin/misc-functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh
index 6e6fcb4..8d5df78 100755
--- a/bin/misc-functions.sh
+++ b/bin/misc-functions.sh
@@ -392,7 +392,7 @@ preinst_selinux_labels() {
 				addwrite /selinux/context
 				addwrite /sys/fs/selinux/context
 
-				/usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
+				/usr/sbin/setfiles -F "${file_contexts_path}" -r "${D}" "${D}"
 			) || die "Failed to set SELinux security labels."
 		else
 			# nonfatal, since merging can happen outside a SE kernel
-- 
2.0.4