-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/18/2014 08:55 AM, Fulko Hew wrote: > > > On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > On 02/14/2014 09:17 AM, Fulko Hew wrote: >> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx> >> On 02/14/2014 08:42 AM, Fulko Hew wrote: >>> I made a package a long time ago, and over the years I've been adding >>> new features, but the correct? support of SELinux has always eluded >>> me. Occasionally I encounter problems with new versions of Fedora and >>> RHEL. Recently I was asked to support the installation of my RPM on >>> RHEL 6 systems, and I find that there are new SELinux >>> feature/requirements. >>> >>> Its probably me, but I haven't found any instructions/how-tos that >>> have really helped (me) in providing the steps for testing and making >>> a package SELinux compatible. I have something that works on older >>> releases, but I've probably done it wrong. >>> >>> There's lots of documentation about its concepts, but not anything >>> that has helped me in porting. >>> >>> Scenario: >>> >>> Given a working RPM (with SELinux disabled)... what would the process >>> be (with examples) of turning SELinux on, attempting to install and run >>> the various applications, viewing security logs, and turning any >>> errors detected into correct config files/commands that can be included >>> in a spec-file/package. >>> >>> Thanks >>> >>> Fulko > > > >> SELinux is a labeling system. You need to make sure any content that you >> provide to confined services is labeled correctly. The way you do this >> is by using a command like semanage fcontext ... in a post install and >> then using restorecon to fix the labels. >> >> SELinux also has the concept of booleans which allow users to modify the >> policy on the system. Depending on what you app wants to do you might >> need to modify a boolean. >> >> Finally SELinux expects network ports to match some defaults. If you >> want to change the default Network Port then you have to tell SELinux >> about this. >> >> semanage port ... >> >> SELinux error messages are stored in /var/log/audit/audit.log and called >> avc messages. >> >> ausearch -m avc -ts recent >> >> Can show you recent avc messages that your system received. >> >> For now, my spec file has a bunch of semanage/restorecon command pairs, >> for such things as: >> >> semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage >> fcontext -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a >> -t httpd_sys_content_t yetOtherFiles >> >> a) Is this the 'right' way to do it? >> > Well you can combine these into a single transaction, which would speed it > up. > > semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation > boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media > boolean -m --on xguest_use_bluetooth _EOF > > This is what the xguest package does. > > > I'm sorry, but I don't understand how to map your example into my > values/example. > > I also have a new problem. I've been testing against F20 Live (KDE) and > the package (policycoreutils-python) that provides semanage isn't > installed so semanage isn't available when my RPM is installed. What is the > recommended approach? > > a) should I make my package/.spec 'require' policycoreutils-python? (It > would seem unusual to place that burden on package maintainers.) Requires(post): policycoreutils-python > b) Use some other technique to configure/distribute security info. (Is this > where policy files come into play?) 1. Where can I find a good example of > how to create policy files given the contents of a .spec I wrote an article on this several years ago. http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ There is an updated version at access.redhat.com https://access.redhat.com/site/solutions/117583 sepolicy generate Is the command I would recommend, on RHEL7 and latest Fedora this will generate the spec file for you. > 2. And, what needs to be added to a .spec so that the 'policy' is > installed? > > >> b) an example of the new error/warning is: >> >> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: >> denied { name_connect } for pid=4517 comm="view_status.pl > <http://view_status.pl> >> <http://view_status.pl>" dest=27395 >> scontext=unconfined_u:system_r:httpd_sys_script_t:s0 >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket >> > Well in a perfect world you would write policy for your cgi script. using > a tool like sepolgen or sepolicy generate, depending on whether you are > shipping in RHEL6 or Fedora. > > You could also turn on the httpd_can_network_connect boolean which would > allow apache processes to connect to any ports. > > > I turns out that I did have code in the %post portion of my .spec to set > that boolean, but due to a bug on my part, the boolean wasn't being set > under certain conditions. > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMDb3gACgkQrlYvE4MpobNPEQCfWkrykqgN8VZIN8/CAH0P7SZf QEoAnRslVxFj7BdPKAZ9kN3XpsIFJtO6 =ztNc -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
