Re: Activate a SELinux Module at Initial Install

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/02/2014 03:08 PM, Daniel J Walsh wrote:
> On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:
>> Hello,
>>
>> I have a SELinux module that I've packaged following the SELinux Policy
>> Modules Packaging Draft[1] on the Fedora wiki. This module is fairly
>> simple and just adjusts the contexts of some files. The package works
>> well, and automatically activates the module and fixes file labels when
>> it is installed on the running machine using Yum. Unfortunately, it does
>> not work as smoothly if it is installed during initial setup by
>> Anaconda. In this case, the module is available but not activated
>> automatically; I have to manually run `semodule -i …` and `restorecon`
>> on the first boot.
>>
>> Is there a recommended way to automatically activate a module that was
>> installed from an additional package by Anaconda?
>>
>> Any ideas or pointers would be greatly appreciated.
>>
>> [1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
>>
> Where are you running semodule -i in your spec file?

In the %post scriptlet[1]:

%post
for v in %{selinux_variants}; do
	/usr/sbin/semodule -s $v \
		-i %{_datadir}/selinux/$v/%{semodule_name}.pp >&- 2>&- || :
done
/sbin/restorecon -R %{basedir} || :

I changed the output redirection to send to a log, and I see this error
message:

/usr/sbin/semodule: SELinux policy is not managed or store cannot be
accessed.

[1]
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Scriptlets

-- 
♫Dustin
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux