-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > On Fri, 07 Nov 2008 09:53:18 -0500 > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Jerry James wrote: >>> 2008/11/7 yersinia <yersinia.spiros@xxxxxxxxx>: >>>> Do look useful this docu ? >>>> >>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >>> Thank you. That is a very useful document. However, it does not >>> appear to answer my question. I need a non-default security context >>> for binaries that are both built and executed in the %build script, >>> when the policy module has not yet been installed. It appears to me >>> that there are only two ways to accomplish this: keep abusing >>> java_exec_t like I have been, or get a GCL policy incorporated into >>> selinux-policy* prior to building GCL. Am I wrong? Is there some >>> other option? Does anyone have any guidance to offer me on which >>> option to pursue? Thanks, >> I would go with the chcon solution you have but instead of hard coding >> the java_exec_t, I would execute >> >> You can get the context of the final destination of the file using >> >> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl >> >> Which seems to be a fine way of doing. this. > > Indeed, but it needs the context type for /usr/bin/gcl to be set to > java_exec_t or equivalent in the selinux-policy package before it'll > work. > > Paul. > +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) Will be in selinux-policy-3.5.13-19.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkUY5UACgkQrlYvE4MpobNcZwCffDDyogNaxP/4ozZE0omAJ5N5 pjcAnijuOdoAT67e5eD2RVHiiED6p5Gv =86wN -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
