-----BEGIN PGP SIGNED MESSAGE-----
On 11/23/2011 11:45 AM, Dmitry Makovey wrote:
> this year we have decided to adopt SELinux as part of our standard
> platform. However we also build quite a few in-house RPM packages.
> What we're trying to do now is to marry those two efforts, and make
> those packages we build provide SELinux policies. Admittably we're
> using RHEL6 for this purpose. I have already collected some
> information, and it looks like building SELinux modules and
> providing them with the package is the way to go.
> I have started building module from scratch based on what we had to
> do manually to get rid of SELinux warnings (running SELinux in
> permissive mode at the moment):
> $ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo*
> $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $
> setsebool -P httpd_can_network_connect_db on
> which resulted in policy:
bject_r:httpd_sys_content_t, s0) /var/lib/foo
> with foo.if and foo.te pretty much empty.
> What I struggle with are several things:
> 1. can I set up boolean's value from the policy module?
> 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via
> "fixfiles" after I added policy via:
> $ semodule -i foo.pp
> Can I create module in a way that upon it's activation it'll
> relabel all needed pieces? (I played with semodule's "-d" and "-e"
> with no effect)
> 3. I have seen several suggestions on how to package and install
> .pp files with RPM:
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs
> latter seems to be more natural at least from logic/syntax
> perspective. Which one is preferred for RHEL6 (I know it's a fedora
> list, but I didn't see/find corresponsing RHEL list and sysadmin@
> ML is kind of low on traffic and answers
> -- selinux mailing list firstname.lastname@example.org
In stead of adding a local policy module and setting a boolean, I
would do this all in one step.
semanage -S targeted -i - << _EOF
boolean -m --on httpd_can_network_connect_db
fcontext -a -t httpd_sys_content_t '/usr/libexec/foo(.*)?'
fcontext -a -t httpd_sys_rw_content_t '/var/lib/foo(/*)?'
restorecon -R -v /usr/libexec/foo /var/lib/foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
selinux mailing list