On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
For now, my spec file has a bunch of semanage/restorecon command pairs,
for such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile
semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile
semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
On 02/14/2014 08:42 AM, Fulko Hew wrote:
> I made a package a long time ago, and over the years I've been adding new
> features, but the correct? support of SELinux has always eluded me.
> Occasionally I encounter problems with new versions of Fedora and RHEL.
> Recently I was asked to support the installation of my RPM on RHEL 6
> systems, and I find that there are new SELinux feature/requirements.
>
> Its probably me, but I haven't found any instructions/how-tos that have
> really helped (me) in providing the steps for testing and making a package
> SELinux compatible. I have something that works on older releases, but
> I've probably done it wrong.
>
> There's lots of documentation about its concepts, but not anything that has
> helped me in porting.
>
> Scenario:
>
> Given a working RPM (with SELinux disabled)... what would the process be
> (with examples) of turning SELinux on, attempting to install and run the
> various applications, viewing security logs, and turning any errors
> detected into correct config files/commands that can be included in a
> spec-file/package.
>
> Thanks
>
> Fulko
>
>
>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
SELinux is a labeling system. You need to make sure any content that you
provide to confined services is labeled correctly. The way you do this is by
using a command like semanage fcontext ... in a post install and then using
restorecon to fix the labels.
SELinux also has the concept of booleans which allow users to modify the
policy on the system. Depending on what you app wants to do you might need to
modify a boolean.
Finally SELinux expects network ports to match some defaults. If you want to
change the default Network Port then you have to tell SELinux about this.
semanage port ...
SELinux error messages are stored in /var/log/audit/audit.log and called avc
messages.
ausearch -m avc -ts recent
Can show you recent avc messages that your system received.
For now, my spec file has a bunch of semanage/restorecon command pairs,
for such things as:
semanage fcontext -a -t httpd_sys_script_exec_t myFile
semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile
semanage fcontext -a -t httpd_sys_content_t yetOtherFiles
a) Is this the 'right' way to do it?
b) an example of the new error/warning is:
Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="view_status.pl" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
