Paul Howarth wrote: > Michael Thomas wrote: > >> A few packages (game server daemons) that I maintain in Fedora Extras >> would benefit from having a selinux security policy available. But >> since I'm new to writing selinux policies, I was hoping that someone >> from f-s-l could take a peek at what I did and let me know if I've done >> things correctly and in the 'recommended' way. >> >> I've already tested the policy on FC5 to make sure that it works and >> produces no 'avc denied' messages: >> >> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm >> >> I wasn't sure exactly which networking rules I would need. Most of the >> ones there were generated by policygentool. I also couldn't figure out >> why some of the rules at the end of crossfire.te were necessary. > > > I don't see any domain transition to crossfire_t in your policy; how > does it get into that domain? It should be there in crossfire.if, no? > Your policy file includes a comment about wanting to patch out use of > temp files; another option would be to use your own domain for temp > files, as you've done for the log files. Good point. But it looks like changing to not use /tmp will be fairly straightforward. > Did you follow the guide on Packaging/SELinux on the wiki for actually > building the module in your package? I've changed what I do for package > building since I last updated that page (and I can't update it any more) > and you'll find it won't build on rawhide as there is an > selinux-policy-devel package you need as a buildreq there. Yes, I used policygentool to generate the policy files, then your SELinux page to put it in the package. I'd like to see an official packaging policy for selinux modules for Fedora Extras, but I'm not sure that there are many FE contributors looking at selinux yet. It looks like the page has also been copied to PackagingDrafts/SELinux, where you should be able to modify it. Some things that would be nice to clarify: Should selinux be added as a subpackage or automatically included in the base package? If selinux is added as a subpackage, what should its Requires: look like (or should there even be any?) Is a single targetted policy enough, or is it necessary to build for all selinux variants (mls, strict, targeted)? > An example of the way I'm currently doing SELinux module packaging can > be found here: > > http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec /me runs screaming from the %defines :) --Mike
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
