Monday, April 23. 2007

Checkinstall and SELinux

Situation: checkinstall is a tool that builds you an RPM (or Debian or Slackware) package while installing some software with make install or similar. RedHat integrated SELinux to increase the safety of Linux in their Fedora distribution.

Problem: checkinstall and SELinux don't play well together. The installation process with checkinstall fails, although a regular make install succeeds.

Solution: The cause for the problem is the file system translation mechanism that checkinstalll uses. You can tell checkinstall to not use the file system translation mechanism by either providing the command-line option --fstrans=no or editing the config file (usually in /usr/local/lib/checkinstall/checkinstallrc) to say TRANSLATE=0 (and INSTALL=1 to actually install something).

The file system translation option can be used to merely create the package without actually installing it, so that no files can be overwritten. However, when used together with SELinux, the security context of the created file system tree is incorrect and thus the installation fails. If you want to install the package, you don't need the file system translation and the BACKUP option should put you on a safe side (as long you don't use suid programs for installation).