Re: Activate a SELinux Module at Initial Install

Miroslav Grepl <mgrepl@xxxxxxxxxx> · Fri, 05 Sep 2014 15:36:40 +0200

    On 09/05/2014 12:06 AM, Dustin C. Hatch
      wrote:

      On 09/02/2014 03:08 PM, Daniel J Walsh wrote:

        On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:

          Hello,

I have a SELinux module that I've packaged following the SELinux Policy
Modules Packaging Draft[1] on the Fedora wiki. This module is fairly
simple and just adjusts the contexts of some files. The package works
well, and automatically activates the module and fixes file labels when
it is installed on the running machine using Yum. Unfortunately, it does
not work as smoothly if it is installed during initial setup by
Anaconda. In this case, the module is available but not activated
automatically; I have to manually run `semodule -i …` and `restorecon`
on the first boot.

Is there a recommended way to automatically activate a module that was
installed from an additional package by Anaconda?

Any ideas or pointers would be greatly appreciated.

[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

        Where are you running semodule -i in your spec file?

      In the %post scriptlet[1]:

%post
for v in %{selinux_variants}; do
	/usr/sbin/semodule -s $v \
		-i %{_datadir}/selinux/$v/%{semodule_name}.pp >&- 2>&- || :
done
/sbin/restorecon -R %{basedir} || :

I changed the output redirection to send to a log, and I see this error
message:

/usr/sbin/semodule: SELinux policy is not managed or store cannot be
accessed.

[1]
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Scriptlets

    I would go with

    %define selinuxtype	targeted
    ..

    ..

    %post
    %{_sbindir}/semodule -n -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp

if %{_sbindir}/selinuxenabled ; then
	%{_sbindir}/load_policy
	%relabel_files
fi

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux