Re: change Selinux context in %post?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2014 12:44 PM, Richard Shaw wrote:
> On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 02/06/2014 02:39 PM, Richard Shaw wrote:
>> On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy@xxxxxxxxxx
> <mailto:msuchy@xxxxxxxxxx>> wrote:
>>
>>> On 02/05/2014 08:24 PM, Richard Shaw wrote:
>>>
>>>> Are there official guidelines on how to handle selinux contexts in
>>>> packaging? I can still only find the draft which seems way more
>>>> complicated than necessary for my needs.
>>>>
>>>> I'm working on a package that uses mongodb internally (runs it's own
>>>> instance). Selinux is complaining because it has mongodb creating
>>>> the database (and logs) outside of the normal locations
> You need to tell SELinux about the labels.
>
> semanage fcontext -e /var/lib/mysql PATHTO/mysql restorecon -R -v
> PATHTO/mysql
>
> Is probably what you want.
>
>
> Ok, I ended up getting to the same place using "-a mongod_var_lib_t"... Now
> how to turn that into a policy I can package?
>
> I ended up with this as the requirements to create a functional package:
>
> /var/lib/unifi/logs(/.*)?    system_u:object_r:mongod_var_lib_t:s0
> /var/lib/unifi/data(/.*)?    system_u:object_r:mongod_var_lib_t:s0 portcon
> tcp 27117 system_u:object_r:mongod_port_t:s0
>
>
Most likely the better solution would have been

/var/lib/unifi/logs(/.*)?    system_u:object_r:mongod_log_t:s0

That would probably work, I just used mongod_var_lib_t because it writes the logs in /var/lib instead of /var/log. As long as it works I'm not terribly picky. 


SHould these go into Fedora Policy?

Well, if this was a package destined for the Fedora repository I would ask, what reasons/requirements need to be met to have the policy go into the upper level Fedora policy and when should it go directly in the package itself?

Since this is not FOSS software (however useful and required to manage the devices) it's destined for RPM Fusion non-free so I'm guessing it needs to go into the package itself.

Thanks,
Richard
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux