On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
I'm sorry, but I don't understand how to map your example into my values/example.
I also have a new problem. I've been testing against F20 Live (KDE) and the
package (policycoreutils-python) that provides semanage isn't installed
so semanage isn't available when my RPM is installed.
What is the recommended approach?
a) should I make my package/.spec 'require' policycoreutils-python?
(It would seem unusual to place that burden on package maintainers.)
b) Use some other technique to configure/distribute security info.
(Is this where policy files come into play?)
1. Where can I find a good example of how to create policy files
given the contents of a .spec
2. And, what needs to be added to a .spec so that the 'policy' is installed?
I turns out that I did have code in the %post portion of my .spec to set
that boolean, but due to a bug on my part, the boolean wasn't being set
under certain conditions.
On 02/14/2014 09:17 AM, Fulko Hew wrote:
> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> On 02/14/2014 08:42 AM, Fulko Hew wrote:
>> I made a package a long time ago, and over the years I've been adding
>> new features, but the correct? support of SELinux has always eluded me.
>> Occasionally I encounter problems with new versions of Fedora and RHEL.
>> Recently I was asked to support the installation of my RPM on RHEL 6
>> systems, and I find that there are new SELinux feature/requirements.
>>
>> Its probably me, but I haven't found any instructions/how-tos that have
>> really helped (me) in providing the steps for testing and making a
>> package SELinux compatible. I have something that works on older
>> releases, but I've probably done it wrong.
>>
>> There's lots of documentation about its concepts, but not anything that
>> has helped me in porting.
>>
>> Scenario:
>>
>> Given a working RPM (with SELinux disabled)... what would the process be
>> (with examples) of turning SELinux on, attempting to install and run the
>> various applications, viewing security logs, and turning any errors
>> detected into correct config files/commands that can be included in a
>> spec-file/package.
>>
>> Thanks
>>
>> Fulko
> SELinux is a labeling system. You need to make sure any content that youWell you can combine these into a single transaction, which would speed it up.
> provide to confined services is labeled correctly. The way you do this is
> by using a command like semanage fcontext ... in a post install and then
> using restorecon to fix the labels.
>
> SELinux also has the concept of booleans which allow users to modify the
> policy on the system. Depending on what you app wants to do you might need
> to modify a boolean.
>
> Finally SELinux expects network ports to match some defaults. If you want
> to change the default Network Port then you have to tell SELinux about
> this.
>
> semanage port ...
>
> SELinux error messages are stored in /var/log/audit/audit.log and called
> avc messages.
>
> ausearch -m avc -ts recent
>
> Can show you recent avc messages that your system received.
>
> For now, my spec file has a bunch of semanage/restorecon command pairs, for
> such things as:
>
> semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext
> -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t
> httpd_sys_content_t yetOtherFiles
>
> a) Is this the 'right' way to do it?
>
semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth
_EOF
This is what the xguest package does.
I'm sorry, but I don't understand how to map your example into my values/example.
I also have a new problem. I've been testing against F20 Live (KDE) and the
package (policycoreutils-python) that provides semanage isn't installed
so semanage isn't available when my RPM is installed.
What is the recommended approach?
a) should I make my package/.spec 'require' policycoreutils-python?
(It would seem unusual to place that burden on package maintainers.)
b) Use some other technique to configure/distribute security info.
(Is this where policy files come into play?)
1. Where can I find a good example of how to create policy files
given the contents of a .spec
2. And, what needs to be added to a .spec so that the 'policy' is installed?
> b) an example of the new error/warning is:> <http://view_status.pl>" dest=27395
>
> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:
> denied { name_connect } for pid=4517 comm="view_status.pl
> scontext=unconfined_u:system_r:httpd_sys_script_t:s0Well in a perfect world you would write policy for your cgi script. using a
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
tool like sepolgen or sepolicy generate, depending on whether you are shipping
in RHEL6 or Fedora.
You could also turn on the httpd_can_network_connect boolean which would allow
apache processes to connect to any ports.
I turns out that I did have code in the %post portion of my .spec to set
that boolean, but due to a bug on my part, the boolean wasn't being set
under certain conditions.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
