On Thu, Nov 23, 2017 at 10:21 AM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: > On 11/23/2017 10:17 AM, Javier Martinez Canillas wrote: >> >> Hello, >> >> On Fri, Oct 20, 2017 at 2:12 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: >> >> [snip] >> >>> >>> Hello community, >>> We, as Red Hat SELinux team, apologise for recent delays with our answers >>> to >>> your requests and questions related to SELinux. We have been quite busy >>> last >>> couple of weeks so we decided to set a lower priority for Fedora work. We >>> already responded and resolved what was needed and we are ready to react >>> more flexibly in the future. >>> >>> Note: If you are interested in writing custom SELinux policy for your >>> package, you can follow the >>> https://fedoraproject.org/wiki/SELinux/IndependentPolicy documentation on >>> wiki. >>> >> >> To update the tpm2-abrmd [0] package to the latest version, I need to >> add a SELinux policy due recent upstream changes in the upstream >> project. But after reading the documents referred in this thread, is >> still not clear to me if the preferred method nowadays is to propose >> adding the SELinux policy to the system wide selinux-policy package or >> to ship a custom SELinux security module for the package. >> > > > Hi, > > SELinux policy for this project is already existing? If not I can help you It doesn't exist in Fedora yet, so currently the tpm2-abrmd daemon runs in an unconfined domain. A policy module was added to the project repo [0] though, but I don't know how correct it is (I'm not a SELinux expert). The specific problem is that now the daemon uses sockets to communicate with a library, but the dbus-daemon in the system bus isn't allowed to read/write to sockets created by processes in an unconfined domain. It used pipes before and that was allowed. > with creating policy for this project. From SELinux team it's prefered to No worries, I think I can sort it out using the SELinux policy in the tpm2-abrmd repo as a base. I just asked since wasn't clear to me which approach was preferred. > add policy to your package. Guidelines how to do that is in progress to be > part of rpm packaging guidelines. > Awesome, I'll re-read [1] then and ad d the policy to the package. Thanks a lot for your help! > Lukas. > [0]: https://github.com/intel/tpm2-abrmd/pull/205/commits/3621742344534a5d0d5d255d1d5bc698f3d39a57 [1]: https://fedoraproject.org/wiki/SELinux/IndependentPolicy Best regards, Javier _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
