Stephen Smalley wrote:
On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
Is there any documentation anywhere on including SELinux Policy Modules
in packages (e.g. for Extras) in FC5? For instance, is there a directory
where modules can be dropped into so that they get picked up
aotomatically? Where should they live?
Yes, this would be useful to document in the Fedora SELinux wiki.
Ideally, policy for a given software package should live in its own
package on which the software package depends so that the package
manager will install (and thus load) the policy before it tries to
unpack the software package (thereby ensuring that any necessary file
types are already defined in the kernel policy), e.g. package foo would
depend on foo-policy. Not certain where the foo-policy package should
drop its policy module, possibly under /usr/share/selinux/foo, and then
it can install it by running semodule -i from its %post scriptlet.
I've tried this and it doesn't quite work as I expected.
I have a main package "contagged" and a subpackage "contagged-policy".
The "contagged" packages has:
Requires: contagged-policy = %{version}-%{release}
Requires(pre): contagged-policy = %{version}-%{release}
This ensures that the policy package is installed before the main
package, and hangs around as long as the main package itself.
The policy package dumps policy in
%{_datadir}/selinux/packages/contagged and uses scriptlets to handle
module insertion and removal:
%post policy
[ -x /usr/sbin/semodule ] && /usr/sbin/semodule -i
%{_datadir}/selinux/packages/contagged/contagged.pp || :
%postun policy
[ $1 -eq 0 ] && [ -x /usr/sbin/semodule ] && /usr/sbin/semodule -r
contagged || :
The only thing the policy module is actually doing is specifying a file
context in contagged.fc:
/var/cache/contagged(/.*)?
gen_context(system_u:object_r:httpd_cache_t,s0)
If contagged-policy is installed first, and then the contagged package
is installed (separate rpm transactions), the file contexts get set up
as expected. However, if both are done in the same RPM transaction, the
packages get installed in the right order (and there is a noticeable
delay after installing the policy subpackage where semodule is being
called) but the context for directory /var/cache/contagged is left as
system_u:object_r:var_t. I suspect that the reason for this is that rpm
installs the files for all packages in the transaction and sets their
file contexts before running (presumably in order) the %post scripts for
the packages.
This rather defeats the purpose of having the separate -policy package,
since I need to use restorecon to fix the file contexts at post-install
time in case both packages are installed in the same transaction (a
likely scenario). I could do this equally well using a single package,
but it's untidy (I have to specify the pathnames that need non-standard
contexts in both the .fc policy file and as an argument to restorecon in
%post). I really prefer the separate package solution, but I think that
would need changes in rpm, which might be hard to get done.
Any thoughts?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list