Hi all, first of all this comes from another thread I started in the Software section of the forum on how to build my own .rpm (http://www.linuxquestions.org/questi....php?t=420119), but since it went offtopic and I haven't got more replies concerning a -what seems to me- security issue I discovered, I thought opening a new thread in the security section would be more usefull.
Ok, a few days ago I downloaded the source of gyachi from http://gyachi.sourceforge.net/. Then I decided to build my own .rpm with the source package and did it using checkinstall. Then I opened the resulting .rpm package with fille-roller to verify its contents. It had two directories to be extracted in '/': 'usr' (containing 'local/share/gyachi' and 'local/bin/gyach'), and 'selinux' (containing a binary file named 'context'). Gyachi is suppposed to be a messaging app for yahoo, so why should it write something in the '/selinux' directory during installation? Sounds like some sort of virus to me.
As a side note, I reinstalled gyachi from the source yesterday in the afternoon and after I discovered this '/selinux/context' file in the .rpm package I issued the command 'ls -la /selinux' and this is what I got:

As you can see, all the contents of the directory seem to have been cretaed yesterday afternoon (however, the contents of '/usr/local/share/gyachi' where created yesterday at 18:30. I'm not sure the precise time when I reinstalled gyachi).
So, what do you think about this? What to do now?
BTW, I already submitted the 'context' file to clamav's website to see wether it's a virus or not.

isnt this selinux itself that checks.

Are u sure can u reproduce that the programm overwrites the selinux dir ?

i think that the installer helps the users to NOT let them give SElinux enabled systems an error.
many dont so great.

As I said before, I opened the .rpm with file-roller and there's a '/selinux/context' file there, which is really weird in a messaging app. I haven't installed the .rpm because I don't want to overwrite the contents of my /selinux directory (anyway, I already installed the program from the source). Maybe I'm being paranoid, but other thing that comes to my mind is that, perhaps, the version of checkinstall I downloaded/installed is not the real one (it's the first time I use this program), and it's meant to make .rpm's that overwrite the /selinux directory. BTW, I dowwnloaded it from: http://asic-linux.com.mx/~izto/checkinstall/ Is that the right site of checkinstall??

I opened the .rpm with file-roller and there's a '/selinux/context' file there / isnt this selinux itself that checks.
Changing SELinux context isn't part of the Gyachi code I tested (make -n install). Even though checkinstall could be subverted it's more likely checkinstall erroniously picked up changes to /selinux/context as part of it's install check. You could take it up with the checkinstall developers or maintainers.

If unsure where to get rpm's from first check if it's part of your distro's repo, then check repo's like DAG etc. If there's no package available check Freshmeat, Sourceforge, etc etc for sources. Regardless of origin you should minimally check a package using the provided MD5sum or GPG sig. If none is provided harass developers, maintainers or repo admins to provide any. If paranoid you could download an apps code and diff it with a copy from a different repo, mirror or site or a copy of an older version. If unsure do not hesitate to check with us, developers or maintainers.


Is that the right site of checkinstall??
asic-linux.com.mx has same IP as checkinstall.izto.org, the host that is promoted on Freshmeat.net. Note it being "the right site" doesn't affect the code, OK. If unsure: check.

Ok, after some research on google for this /selinux/context file when using checkinstall, I found this:

http://www.cs.johncabot.edu/~min/linux/fc4.html#check

Anyway, I don't get why checkinstall has to create this /selinux/context file in the packages it builds.