-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2014 09:17 AM, Fulko Hew wrote: > > > On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > On 02/14/2014 08:42 AM, Fulko Hew wrote: >> I made a package a long time ago, and over the years I've been adding >> new features, but the correct? support of SELinux has always eluded me. >> Occasionally I encounter problems with new versions of Fedora and RHEL. >> Recently I was asked to support the installation of my RPM on RHEL 6 >> systems, and I find that there are new SELinux feature/requirements. >> >> Its probably me, but I haven't found any instructions/how-tos that have >> really helped (me) in providing the steps for testing and making a >> package SELinux compatible. I have something that works on older >> releases, but I've probably done it wrong. >> >> There's lots of documentation about its concepts, but not anything that >> has helped me in porting. >> >> Scenario: >> >> Given a working RPM (with SELinux disabled)... what would the process be >> (with examples) of turning SELinux on, attempting to install and run the >> various applications, viewing security logs, and turning any errors >> detected into correct config files/commands that can be included in a >> spec-file/package. >> >> Thanks >> >> Fulko >> >> >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > SELinux is a labeling system. You need to make sure any content that you > provide to confined services is labeled correctly. The way you do this is > by using a command like semanage fcontext ... in a post install and then > using restorecon to fix the labels. > > SELinux also has the concept of booleans which allow users to modify the > policy on the system. Depending on what you app wants to do you might need > to modify a boolean. > > Finally SELinux expects network ports to match some defaults. If you want > to change the default Network Port then you have to tell SELinux about > this. > > semanage port ... > > SELinux error messages are stored in /var/log/audit/audit.log and called > avc messages. > > ausearch -m avc -ts recent > > Can show you recent avc messages that your system received. > > > For now, my spec file has a bunch of semanage/restorecon command pairs, for > such things as: > > semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext > -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t > httpd_sys_content_t yetOtherFiles > > a) Is this the 'right' way to do it? > Well you can combine these into a single transaction, which would speed it up. semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF This is what the xguest package does. > b) an example of the new error/warning is: > > Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: > denied { name_connect } for pid=4517 comm="view_status.pl > <http://view_status.pl>" dest=27395 > scontext=unconfined_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > Well in a perfect world you would write policy for your cgi script. using a tool like sepolgen or sepolicy generate, depending on whether you are shipping in RHEL6 or Fedora. You could also turn on the httpd_can_network_connect boolean which would allow apache processes to connect to any ports. > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL+K50ACgkQrlYvE4MpobOK+gCglcB/qguu294+OGmkGlRZdoJ2 KFIAnRxkkotXVChtwq92sGWbSXK9HO9G =rrnE -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
