-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/11/2014 03:23 PM, Richard Shaw wrote: > On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > On 02/06/2014 12:44 PM, Richard Shaw wrote: >> On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx> >> <mailto:dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>>> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 02/06/2014 02:39 PM, Richard Shaw wrote: >>> On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy@xxxxxxxxxx > <mailto:msuchy@xxxxxxxxxx> >> <mailto:msuchy@xxxxxxxxxx <mailto:msuchy@xxxxxxxxxx>>> wrote: >>> >>>> On 02/05/2014 08:24 PM, Richard Shaw wrote: >>>> >>>>> Are there official guidelines on how to handle selinux contexts in >>>>> packaging? I can still only find the draft which seems way more >>>>> complicated than necessary for my needs. >>>>> >>>>> I'm working on a package that uses mongodb internally (runs it's >>>>> own instance). Selinux is complaining because it has mongodb >>>>> creating the database (and logs) outside of the normal locations >> You need to tell SELinux about the labels. >> >> semanage fcontext -e /var/lib/mysql PATHTO/mysql restorecon -R -v >> PATHTO/mysql >> >> Is probably what you want. >> >> >> Ok, I ended up getting to the same place using "-a mongod_var_lib_t"... >> Now how to turn that into a policy I can package? >> >> I ended up with this as the requirements to create a functional package: >> >> /var/lib/unifi/logs(/.*)? system_u:object_r:mongod_var_lib_t:s0 >> /var/lib/unifi/data(/.*)? system_u:object_r:mongod_var_lib_t:s0 >> portcon tcp 27117 system_u:object_r:mongod_port_t:s0 >> >> > Most likely the better solution would have been > > /var/lib/unifi/logs(/.*)? system_u:object_r:mongod_log_t:s0 > > > That would probably work, I just used mongod_var_lib_t because it writes > the logs in /var/lib instead of /var/log. As long as it works I'm not > terribly picky. > > > SHould these go into Fedora Policy? > > > Well, if this was a package destined for the Fedora repository I would ask, > what reasons/requirements need to be met to have the policy go into the > upper level Fedora policy and when should it go directly in the package > itself? > > Since this is not FOSS software (however useful and required to manage the > devices) it's destined for RPM Fusion non-free so I'm guessing it needs to > go into the package itself. > > Thanks, Richard > > If these paths make sense, we can add the labels to the Fedora Policy. It does not have to be FOSS Software to be in the policy package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL6kEEACgkQrlYvE4MpobMEigCePz23veRszwhASjCsdKuSvt3s 5/4An3uQtGuhNsKtnGag0Wov37yENnQx =E28n -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
