On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy@xxxxxxxxxx> wrote:
I do not think there is general guideline.On 02/05/2014 08:24 PM, Richard Shaw wrote:
Are there official guidelines on how to handle selinux contexts in packaging? I can still only find the draft which
seems way more complicated than necessary for my needs.
I'm working on a package that uses mongodb internally (runs it's own instance). Selinux is complaining because it has
mongodb creating the database (and logs) outside of the normal locations.
I think I can fix this with a "chcon -t mongod_var_lib_t %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t
/log/path" or something like that.
Is it a good idea to do this in %post?
As other suggested - it is bad idea to call chcon explicitly. You should rather write your own selinux policy (it is not that hard, really) and call restorecon or fixfiles.
Got it.
You should not call it in %post because selinux policy can be loaded after your %post. The story about this is little bit longer and boring. The conclusion is - do that in %posttrans.
Ok, good to know.
You can get some inspiration e.g. in:
https://git.fedorahosted.org/cgit/copr.git/tree/copr.spec
https://git.fedorahosted.org/cgit/copr.git/tree/selinux
Thanks!
I've gotten this far on my own. I used semanage and some google-fu to come up with this that seems to fix the problem. I'm not sure if there's a better way (i.e. a more "least privilege" route) but I have the following in file_contexts.local:
/var/lib/unifi/logs(/.*)? system_u:object_r:mongod_var_lib_t:s0
/var/lib/unifi/data(/.*)? system_u:object_r:mongod_var_lib_t:s0
And the port problem in ports.local:
portcon tcp 27117 system_u:object_r:mongod_port_t:s0
Now, how to turn that into a policy file...
Thanks,
Richard
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct