Re: Looking for the right, but easy way to add SELinux setup into my package/RPM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
On 02/14/2014 09:17 AM, Fulko Hew wrote:
> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> On 02/14/2014 08:42 AM, Fulko Hew wrote:
>> I made a package a long time ago, and over the years I've been adding
>> new features, but the correct? support of SELinux has always eluded me.
>> Occasionally I encounter problems with new versions of Fedora and RHEL.
>> Recently I was asked to support the installation of my RPM on RHEL 6
>> systems, and I find that there are new SELinux feature/requirements.
>>
>> Its probably me, but I haven't found any instructions/how-tos that have
>> really helped (me) in providing the steps for testing and making a
>> package SELinux compatible.  I have something that works on older
>> releases, but I've probably done it wrong.
>>
>> There's lots of documentation about its concepts, but not anything that
>> has helped me in porting.
>>
>> Scenario:
>>
>> Given a working RPM (with SELinux disabled)... what would the process be
>> (with examples) of turning SELinux on, attempting to install and run the
>> various applications, viewing security logs, and turning any errors
>> detected into correct config files/commands that can be included in a
>> spec-file/package.
>>
>> Thanks
>>
>> Fulko
 
> SELinux is a labeling system. You need to make sure any content that you
> provide to confined services is labeled correctly.  The way you do this is
> by using a command like semanage fcontext ...  in a post install and then
> using restorecon to fix the labels.
>
> SELinux also has the concept of booleans which allow users to modify the
> policy on the system.  Depending on what you app wants to do you might need
> to modify a boolean.
>
> Finally SELinux expects network ports to match some defaults.  If you want
> to change the default Network Port then you have to tell SELinux about
> this.
>
> semanage port ...
>
> SELinux error messages are stored in /var/log/audit/audit.log and called
> avc messages.
>
> ausearch -m avc -ts recent
>
> Can show you recent avc messages that your system received.
>
> For now, my spec file has a bunch of semanage/restorecon command pairs, for
> such things as:
>
> semanage fcontext -a -t httpd_sys_script_exec_t   myFile semanage fcontext
> -a -t httpd_sys_rw_content_t    myOtherFile semanage fcontext -a -t
> httpd_sys_content_t       yetOtherFiles
>
> a) Is this the 'right' way to do it?
>
Well you can combine these into a single transaction, which would speed it up.

semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth
_EOF

This is what the xguest package does.

I'm sorry, but I don't understand how to map your example into my values/example.

I also have a new problem.  I've been testing against F20 Live (KDE) and the
package (policycoreutils-python) that provides semanage isn't installed
so semanage isn't available when my RPM is installed.
What is the recommended approach?

a) should I make my package/.spec 'require' policycoreutils-python?
   (It would seem unusual to place that burden on package maintainers.)
b) Use some other technique to configure/distribute security info.
   (Is this where policy files come into play?)
   1. Where can I find a good example of how to create policy files
      given the contents of a .spec
   2. And, what needs to be added to a .spec so that the 'policy' is installed?


> b) an example of the new error/warning is:
>
> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:
> denied  { name_connect } for  pid=4517 comm="view_status.pl
> <http://view_status.pl>" dest=27395
> scontext=unconfined_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
Well in a perfect world you would write policy for your cgi script. using a
tool like sepolgen or sepolicy generate, depending on whether you are shipping
in RHEL6 or Fedora.

You could also turn on the httpd_can_network_connect boolean which would allow
apache processes to connect to any ports.

I turns out that I did have code in the %post portion of my .spec to set
that boolean, but due to a bug on my part, the boolean wasn't being set
under certain conditions.
 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux