On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote: > Is there any documentation anywhere on including SELinux Policy Modules > in packages (e.g. for Extras) in FC5? For instance, is there a directory > where modules can be dropped into so that they get picked up > aotomatically? Where should they live? Yes, this would be useful to document in the Fedora SELinux wiki. Ideally, policy for a given software package should live in its own package on which the software package depends so that the package manager will install (and thus load) the policy before it tries to unpack the software package (thereby ensuring that any necessary file types are already defined in the kernel policy), e.g. package foo would depend on foo-policy. Not certain where the foo-policy package should drop its policy module, possibly under /usr/share/selinux/foo, and then it can install it by running semodule -i from its %post scriptlet. > Consider an example. I have an LDAP-backed addressbook frontend written > in PHP that runs on apache. So I install the files in /var/www/someplace > in my package and I need to provide an SELinux module that: > > * Includes the appropriate file contexts for the application's cache > directory, which needs to be writable by httpd > * Gives httpd permission to contact LDAP servers over the network (i.e. > ports 389 and 636) > > Is it possible to turn on the httpd_builtin_scripting boolean from a > module (the app is written in PHP and needs this)? Is it even sensible > to try to do this, or there just be a README.SELinux telling people they > need to do this themselves? Not sure if enabling the boolean is the right model there vs. "calling" an interface from your module to enable those rules unconditionally when your module is loaded, because you want the behavior reverted if/when your module is removed but other modules might likewise want the same rules or the admin may have a local customization already. The foo-policy package could certainly call setsebool -P from %post, but I doubt that is the right approach. > Should the module be loaded in a %post script? Yes, but ideally from a foo-policy package on which foo depends, so that it is loaded before unpacking foo (so that the file contexts can be set down properly). > Some guidelines would no doubt be appreciated by many people. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
