Hi,

this year we have decided to adopt SELinux as part of our standard platform.
However we also build quite a few in-house RPM packages. What we're trying to
do now is to marry those two efforts, and make those packages we build provide
SELinux policies. Admittably we're using RHEL6 for this purpose. I have
already collected some information, and it looks like building SELinux modules
and providing them with the package is the way to go.

I have started building module from scratch based on what we had to do
manually to get rid of SELinux warnings (running SELinux in permissive mode at
the moment):

$ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo*
$ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo
$ setsebool -P httpd_can_network_connect_db on

which resulted in policy:

foo.fc:

/usr/libexec/foo(.*)? gen_context(system_ubject_r:httpd_sys_content_t, s0)
/var/lib/foo gen_context(system_ubject_r:httpd_sys_rw_content _t,s0)

with foo.if and foo.te pretty much empty.

What I struggle with are several things:

1. can I set up boolean's value from the policy module?

2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles"
after I added policy via:

$ semodule -i foo.pp

Can I create module in a way that upon it's activation it'll relabel all
needed pieces? (I played with semodule's "-d" and "-e" with no effect)

3. I have seen several suggestions on how to package and install .pp files
with RPM:

http://fedoraproject.org/wiki/PackagingDrafts/SELinux
vs
http://selinuxproject.org/page/RPM

latter seems to be more natural at least from logic/syntax perspective. Which
one is preferred for RHEL6 (I know it's a fedora list, but I didn't see/find
corresponsing RHEL list and sysadmin@ ML is kind of low on traffic and answers
).

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On November 23, 2011 11:45 , Dmitry Makovey <dmitry@athabascau.ca> wrote:
> 1. can I set up boolean's value from the policy module?

If your policy module creates a new boolean, yes. But if you are
setting a boolean created by another policy module, you should run
"setsebool -P" from the %post section of your RPM.


> 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles"
> after I added policy via:
>
> $ semodule -i foo.pp
>
> Can I create module in a way that upon it's activation it'll relabel all
> needed pieces? (I played with semodule's "-d" and "-e" with no effect)

Make sure that your .fc file properly describes all of the file
contexts. Then, in the %post section of your RPM, run fixfiles and (if
needed) restorecon

/sbin/fixfiles -R myapp restore
/sbin/restorecon -R %{_localstatedir}/var/lib/foo


In other words: no, I don't know of any way to label files when the
policy is loaded, you will need to install the policy module and then
run fixfiles.


> 3. I have seen several suggestions on how to package and install .pp files
> with RPM:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
> vs
> http://selinuxproject.org/page/RPM

This is more complicated, but I recommend

https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

--
Mark Montague
mark@catseye.org

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2011 11:45 AM, Dmitry Makovey wrote:
>
> Hi,
>
> this year we have decided to adopt SELinux as part of our standard
> platform. However we also build quite a few in-house RPM packages.
> What we're trying to do now is to marry those two efforts, and make
> those packages we build provide SELinux policies. Admittably we're
> using RHEL6 for this purpose. I have already collected some
> information, and it looks like building SELinux modules and
> providing them with the package is the way to go.
>
> I have started building module from scratch based on what we had to
> do manually to get rid of SELinux warnings (running SELinux in
> permissive mode at the moment):
>
> $ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo*
> $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $
> setsebool -P httpd_can_network_connect_db on
>
> which resulted in policy:
>
> foo.fc:
>
> /usr/libexec/foo(.*)?
> gen_context(system_ubject_r:httpd_sys_content_t, s0) /var/lib/foo
> gen_context(system_ubject_r:httpd_sys_rw_content _t,s0)
>
> with foo.if and foo.te pretty much empty.
>
> What I struggle with are several things:
>
> 1. can I set up boolean's value from the policy module?
>
> 2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via
> "fixfiles" after I added policy via:
>
> $ semodule -i foo.pp
>
> Can I create module in a way that upon it's activation it'll
> relabel all needed pieces? (I played with semodule's "-d" and "-e"
> with no effect)
>
> 3. I have seen several suggestions on how to package and install
> .pp files with RPM:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs
> http://selinuxproject.org/page/RPM
>
> latter seems to be more natural at least from logic/syntax
> perspective. Which one is preferred for RHEL6 (I know it's a fedora
> list, but I didn't see/find corresponsing RHEL list and sysadmin@
> ML is kind of low on traffic and answers ).
>
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


In stead of adding a local policy module and setting a boolean, I
would do this all in one step.

semanage -S targeted -i - << _EOF
boolean -m --on httpd_can_network_connect_db
fcontext -a -t httpd_sys_content_t '/usr/libexec/foo(.*)?'
fcontext -a -t httpd_sys_rw_content_t '/var/lib/foo(/*)?'
_EOF
restorecon -R -v /usr/libexec/foo /var/lib/foo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7T6ioACgkQrlYvE4MpobMCgwCgq24A5jZUP5 nvrtkYNYPClDyK
7SsAoNfonFdDliE1NhD5/R5Vu9xPgGOV
=QOmW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux