On 02/05/2014 08:24 PM, Richard Shaw wrote:
Are there official guidelines on how to handle selinux contexts in packaging? I can still only find the draft which
seems way more complicated than necessary for my needs.
I'm working on a package that uses mongodb internally (runs it's own instance). Selinux is complaining because it has
mongodb creating the database (and logs) outside of the normal locations.
I think I can fix this with a "chcon -t mongod_var_lib_t %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t
/log/path" or something like that.
Is it a good idea to do this in %post?
I do not think there is general guideline.
As other suggested - it is bad idea to call chcon explicitly. You should rather write your own selinux policy (it is not
that hard, really) and call restorecon or fixfiles.
You should not call it in %post because selinux policy can be loaded after your %post. The story about this is little
bit longer and boring. The conclusion is - do that in %posttrans.
You can get some inspiration e.g. in:
https://git.fedorahosted.org/cgit/copr.git/tree/copr.spec
https://git.fedorahosted.org/cgit/copr.git/tree/selinux
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
