-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/12/2011 09:00 AM, Fulko Hew wrote: > > > On Mon, Sep 19, 2011 at 4:01 PM, Fulko Hew <fulko.hew@xxxxxxxxx > <mailto:fulko.hew@xxxxxxxxx>> wrote: >> On Mon, Sep 19, 2011 at 3:32 PM, Eric Paris <eparis@xxxxxxxxxx > <mailto:eparis@xxxxxxxxxx>> wrote: >>> On Mon, 2011-09-19 at 14:49 -0400, Fulko Hew wrote: >>> >>>> If so... why use chcon versus the semanage/restorecon >>>> technique? or if my assesement is wrong... can someone point >>>> me to a better explanation/tutorial? >> >> ... snip ... >> >>> So semanage+restorecon == will last, chcon == will likely get >>> blown away and make you angry later. >> >> Thanks for confirming that for me. > > Sorry to take a long time for a further followup.. I made the > changes to my RPM spec file, and it works, but... > > The processing sure takes a long time... Whereas 'installing'the > files is a quick procedure (seconds), my subsequent selinux > commandstake _minutes_ to process. > > Surely the other packages can't be using this combo of commands > inside their spec files to handle selinux mode/attribute setting > during installation (because they don't take this long to > install). > > There has to be a better way/faster way. > > What I have right now is: > > if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then # if it > exists and can be run setsebool -P httpd_can_network_connect=1 > # then enable this ability setsebool -P httpd_enable_cgi=1 > # this one should normally be on... fi > # but force it because _we_ need it! > > if semanage fcontext -a -t httpd_sys_script_exec_t > "/var/www/html/nia/scripts/.*" 2>/dev/null; then restorecon -v > /var/www/html/nia/scripts/* 2>/dev/null fi if semanage fcontext -a > -t httpd_sys_rw_content_t "/var/www/html/nia/tmp" 2>/dev/null; > then restorecon -v /var/www/html/nia/tmp 2>/dev/null fi # needed > for RHEL 5.6 & GraphViz access to the fonts if semanage fcontext -a > -t httpd_sys_content_t "/var/cache/fontconfig/.*" 2>/dev/null; > then restorecon -v /var/cache/fontconfig/* 2>/dev/null fi > > First I would work with the selinux-policy package to incorporate things like labels into the base package. Please do not set labels on directories that are not included in your package. /var/cache/fontconfig should not be labeled as apache content. Multiple semanage commands can be run within a single transaction. For example setting multiple booleans is done in the xguest post install semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF And you can mix and match your commands semanage -S targeted -i - << _EOF boolean -m --on httpd_can_network_connect boolean -m --on httpd_enable_cgi fcontext -a -t httpd_sys_rw_content_t "/var/www/html/nia/tmp(/.*)?" fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nia/scripts(/.*)?" _EOF If you want to allow apache to read files labeled fonts_cache_t, then you should install a policy module with those allow rules. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6VkuYACgkQrlYvE4MpobN9XgCfeYDRshf2aRSG+GDcIK+ote67 4EEAoIT6r7/mUFZAxgR/ThJpXYi2HI0g =Ju4Z -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
