Re: Selinux Packaging [WAS: Wifi connection issues with Intel?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 06/16/2014 02:15 PM, Richard Shaw wrote:
On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

On 06/16/2014 01:35 PM, Richard Shaw wrote:
On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

On 06/12/2014 10:14 AM, Richard Shaw wrote:
On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. 
Please open a bugzilla for the SELinux issues.

Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent...

%posttrans
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"
/usr/sbin/semanage port -m -t mongod_port_t 27117

Or should this be handled in a policy?

Thanks,
Richard


I think your post install should look like.

/usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"
/usr/sbin/semanage port -m -t mongod_port_t 27117

Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t.

What is the concern with regex?

It is specific to packaging? Most of the examples I found online used that method... As far as the label, since everything is getting dumped in /var/lib I figured that would be OK. 


Not a concern with regex. it just will not work.  The examples you have seen on line, were not using equivalence.  They were using generic labelling.

Equivalence tells SELinux to swap the second part of the path with the first.  You code would only match file paths that began with /var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log

If this is a standard location for this code, we should put it into the base package.

There is not a standard install location, the install will "work" as long as everything stays in the same relative location (the unifi directory). Since it writes a lot of stuff I figured /var was the best (only?) real option. 

Yes

Following the example of a draft wiki I can't find anymore I had modified the scripts to this instead of using %posttrans:
%post
semanage fcontext -a -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
semanage fcontext -a -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
restorecon -R %{_sharedstatedir}/unifi/logs || :
restorecon -R %{_sharedstatedir}/unifi/data || :
semanage port -m -t mongod_port_t 27117 || :

%postun
if [ $1 -eq 0 ] ; then  # final removal
semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
fi


That should work.  You could speed it up by combining both semange fcontext lines into a single transaction. Something like.

semanage -S targeted -i - << _EOF

fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
_EOF 2>/dev/null || :

Ok, just to be clear, I still need to remove the (/.*)? parts? I found the packaging draft I referred to:


Which shows including it.

Thanks,
Richard


If you use "-e" option, you do not use them, if you are using "-a" option you do.

Your first message said you used

/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"

Which is wrong because you used the "-e"

Your second email said you were doing.

semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :

Which used the "-a"  which was correct, it needs the regex.


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux