-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/23/2011 11:45 AM, Dmitry Makovey wrote: > > Hi, > > this year we have decided to adopt SELinux as part of our standard > platform. However we also build quite a few in-house RPM packages. > What we're trying to do now is to marry those two efforts, and make > those packages we build provide SELinux policies. Admittably we're > using RHEL6 for this purpose. I have already collected some > information, and it looks like building SELinux modules and > providing them with the package is the way to go. > > I have started building module from scratch based on what we had to > do manually to get rid of SELinux warnings (running SELinux in > permissive mode at the moment): > > $ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo* > $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $ > setsebool -P httpd_can_network_connect_db on > > which resulted in policy: > > foo.fc: > > /usr/libexec/foo(.*)? > gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/foo > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > > with foo.if and foo.te pretty much empty. > > What I struggle with are several things: > > 1. can I set up boolean's value from the policy module? > > 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via > "fixfiles" after I added policy via: > > $ semodule -i foo.pp > > Can I create module in a way that upon it's activation it'll > relabel all needed pieces? (I played with semodule's "-d" and "-e" > with no effect) > > 3. I have seen several suggestions on how to package and install > .pp files with RPM: > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs > http://selinuxproject.org/page/RPM > > latter seems to be more natural at least from logic/syntax > perspective. Which one is preferred for RHEL6 (I know it's a fedora > list, but I didn't see/find corresponsing RHEL list and sysadmin@ > ML is kind of low on traffic and answers :( ). > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux In stead of adding a local policy module and setting a boolean, I would do this all in one step. semanage -S targeted -i - << _EOF boolean -m --on httpd_can_network_connect_db fcontext -a -t httpd_sys_content_t '/usr/libexec/foo(.*)?' fcontext -a -t httpd_sys_rw_content_t '/var/lib/foo(/*)?' _EOF restorecon -R -v /usr/libexec/foo /var/lib/foo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7T6ioACgkQrlYvE4MpobMCgwCgq24A5jZUP5nvrtkYNYPClDyK 7SsAoNfonFdDliE1NhD5/R5Vu9xPgGOV =QOmW -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
