Hi, this year we have decided to adopt SELinux as part of our standard platform. However we also build quite a few in-house RPM packages. What we're trying to do now is to marry those two efforts, and make those packages we build provide SELinux policies. Admittably we're using RHEL6 for this purpose. I have already collected some information, and it looks like building SELinux modules and providing them with the package is the way to go. I have started building module from scratch based on what we had to do manually to get rid of SELinux warnings (running SELinux in permissive mode at the moment): $ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo* $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $ setsebool -P httpd_can_network_connect_db on which resulted in policy: foo.fc: /usr/libexec/foo(.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/foo gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) with foo.if and foo.te pretty much empty. What I struggle with are several things: 1. can I set up boolean's value from the policy module? 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles" after I added policy via: $ semodule -i foo.pp Can I create module in a way that upon it's activation it'll relabel all needed pieces? (I played with semodule's "-d" and "-e" with no effect) 3. I have seen several suggestions on how to package and install .pp files with RPM: http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs http://selinuxproject.org/page/RPM latter seems to be more natural at least from logic/syntax perspective. Which one is preferred for RHEL6 (I know it's a fedora list, but I didn't see/find corresponsing RHEL list and sysadmin@ ML is kind of low on traffic and answers :( ). -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
