On Wed, 2007-05-09 at 17:25 +0200, Till Maas wrote: > On Mi Mai 9 2007, Karl MacMillan wrote: > > > It's not and for applications like this you aren't likely to avoid > > executing writable memory. You should set the context correctly to allow > > executable memory (chcon -t unconfined_execmem_exec_t). Eventually we > > should avoid hard-coding contexts in the rpms but there is currently no > > better solution. > > There are some drafts in: > http://fedoraproject.org/wiki/PackagingDrafts/SELinux > > Which at least make these changes persistent. Persistent is not quite right - using semanage (or a policy module) makes the changes survive a full relabel of the system. A chcon is persistent (across reboots and such) until the context is explicitly changed. > As far as I understand selinux, > when someone disables it, all the contexts that were created in %post with > chcon are lost. Not quite - disabling doesn't lose any contexts. The problem is that during the normal course of running the system some file labels are changed or files are created without a label. When selinux is turned on again a full relabel of the filesystem is done to correct these problems. If the custom file context wasn't added to the database of file contexts (via a module or semanage) the file is set to the default label. > Also I am not sure, whether or not they get lost, after an > policy-update, but I think I saw this happen once. The method descibed in the > PackagingDraft which I followed with the following files: > > VirtualBox-OSE.te > policy_module(VirtualBox-OSE, 1.0.0) > > VirtualBox-OSE.fc > @VBOXINSTDIR@/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) > > and the scriptlets there, at least works, but it is imho much to complicated. This is only needed if you have a policy for that application. Just to change a file context it seems unnecessary. Semanage should be workable. > And when using semanage it is afaik impossible to change a > selinux-configuration or remove it, because of the ordering > of %post(un) %pre(un). > Not sure what you mean - you should be able to run semanage in a post. Perhaps you should also need to do chcon (as opposed to restorecon) because the command may not have run before the file was created. > In conlusion, there should first be some methods and (better (documented)) rpm > support, before demanding that all packages should support selinux. E.g. what > does "%policy" in "%files" do? > I agree that those packaging guidelines should be reviewed, improved where necessary, and adopted. However, most packages do not need any special selinux support. Paul / Dan - how should we proceed with those guidelines. Karl > Regards, > Till > > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
