-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2014 08:42 AM, Fulko Hew wrote: > I made a package a long time ago, and over the years I've been adding new > features, but the correct? support of SELinux has always eluded me. > Occasionally I encounter problems with new versions of Fedora and RHEL. > Recently I was asked to support the installation of my RPM on RHEL 6 > systems, and I find that there are new SELinux feature/requirements. > > Its probably me, but I haven't found any instructions/how-tos that have > really helped (me) in providing the steps for testing and making a package > SELinux compatible. I have something that works on older releases, but > I've probably done it wrong. > > There's lots of documentation about its concepts, but not anything that has > helped me in porting. > > Scenario: > > Given a working RPM (with SELinux disabled)... what would the process be > (with examples) of turning SELinux on, attempting to install and run the > various applications, viewing security logs, and turning any errors > detected into correct config files/commands that can be included in a > spec-file/package. > > Thanks > > Fulko > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > SELinux is a labeling system. You need to make sure any content that you provide to confined services is labeled correctly. The way you do this is by using a command like semanage fcontext ... in a post install and then using restorecon to fix the labels. SELinux also has the concept of booleans which allow users to modify the policy on the system. Depending on what you app wants to do you might need to modify a boolean. Finally SELinux expects network ports to match some defaults. If you want to change the default Network Port then you have to tell SELinux about this. semanage port ... SELinux error messages are stored in /var/log/audit/audit.log and called avc messages. ausearch -m avc -ts recent Can show you recent avc messages that your system received. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL+IOgACgkQrlYvE4MpobPXcQCgycD7evBp+2tC5cDCo+JEteef TKoAn3TyMC8V0DN+7sFJwTjNrcFJtO0/ =IsDz -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
