On November 23, 2011 11:45 , Dmitry Makovey <dmitry@xxxxxxxxxxxxx> wrote:
> 1. can I set up boolean's value from the policy module?
If your policy module creates a new boolean, yes. But if you are
setting a boolean created by another policy module, you should run
"setsebool -P" from the %post section of your RPM.
> 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles"
> after I added policy via:
>
> $ semodule -i foo.pp
>
> Can I create module in a way that upon it's activation it'll relabel all
> needed pieces? (I played with semodule's "-d" and "-e" with no effect)
Make sure that your .fc file properly describes all of the file
contexts. Then, in the %post section of your RPM, run fixfiles and (if
needed) restorecon
/sbin/fixfiles -R myapp restore
/sbin/restorecon -R %{_localstatedir}/var/lib/foo
In other words: no, I don't know of any way to label files when the
policy is loaded, you will need to install the policy module and then
run fixfiles.
> 3. I have seen several suggestions on how to package and install .pp files
> with RPM:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
> vs
> http://selinuxproject.org/page/RPM
This is more complicated, but I recommend
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
--
Mark Montague
mark@xxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
