On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Not a concern with regex. it just will not work. The examples you have seen on line, were not using equivalence. They were using generic labelling.
On 06/16/2014 01:35 PM, Richard Shaw wrote:
On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
I think your post install should look like.
On 06/12/2014 10:14 AM, Richard Shaw wrote:
On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Please open a bugzilla for the SELinux issues.The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to.
Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent...
%posttrans/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"/usr/sbin/semanage port -m -t mongod_port_t 27117
Or should this be handled in a policy?
Thanks,Richard
/usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t./usr/sbin/semanage port -m -t mongod_port_t 27117
What is the concern with regex?
It is specific to packaging? Most of the examples I found online used that method... As far as the label, since everything is getting dumped in /var/lib I figured that would be OK.
Equivalence tells SELinux to swap the second part of the path with the first. You code would only match file paths that began with /var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.logYes
If this is a standard location for this code, we should put it into the base package.
There is not a standard install location, the install will "work" as long as everything stays in the same relative location (the unifi directory). Since it writes a lot of stuff I figured /var was the best (only?) real option.
That should work. You could speed it up by combining both semange fcontext lines into a single transaction. Something like.
Following the example of a draft wiki I can't find anymore I had modified the scripts to this instead of using %posttrans:%postsemanage fcontext -a -t mongod_var_lib_t \
"%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :semanage fcontext -a -t mongod_var_lib_t \"%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :restorecon -R %{_sharedstatedir}/unifi/logs || :restorecon -R %{_sharedstatedir}/unifi/data || :semanage port -m -t mongod_port_t 27117 || :
%postun
if [ $1 -eq 0 ] ; then # final removal
semanage fcontext -d -t mongod_var_lib_t \"%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :semanage fcontext -d -t mongod_var_lib_t \"%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :fi
semanage -S targeted -i - << _EOF
fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"_EOF 2>/dev/null || :fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
Ok, just to be clear, I still need to remove the (/.*)? parts? I found the packaging draft I referred to:
Which shows including it.
Thanks,
Richard
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
