Adding FAQ on recovering portage in case of setfiles failure

1 files changed, 35 insertions, 2 deletions

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 9a3fc95..b556c57 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>14</version>
-<date>2011-09-04</date>
+<version>15</version>
+<date>2011-10-08</date>
 
 <faqindex>
 <title>Questions</title>
@@ -767,5 +767,38 @@ version, or force set it to the higher version.
 
 </body>
 </section>
+<section id="recoverportage">
+<title>Portage fails to label files because "setfiles" does not work anymore</title>
+<body>
+
+<p>
+Portage uses the <c>setfiles</c> command to set the labels of the files it
+installs. However, that command is a dynamically linked executable, so any
+update in its depending libraries (<path>libselinux.so</path>,
+<path>libsepol.so</path>, <path>libaudit.so</path> and of course
+<path>libc.so</path>) might cause for the application to fail. Gentoo's standard
+solution (<c>revdep-rebuild</c>) will not work, since the tool will try to
+rebuild policycoreutils, which will fail to install because Portage cannot set
+the file labels.
+</p>
+
+<p>
+The solution is to rebuild policycoreutils while disabling Portage' selinux
+support, then label the installed files manually using <c>chcon</c>, based on
+the feedback received from <c>matchpathcon</c>.
+</p>
+
+<pre caption="Recovering from Portage installation failures">
+# <i>FEATURES="-selinux" emerge --oneshot policycoreutils</i>
+# <i>for FILE in $(qlist policycoreutils); do \
+CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done</i>
+</pre>
+
+<p>
+Now Portage will function properly again, labeling files as they should.
+</p>
+
+</body>
+</section>
 </chapter>
 </guide>