How to get an SELinux policy change
Paul Howarth
paul at city-fan.org
Fri Nov 7 15:02:52 UTC 2008
On Fri, 07 Nov 2008 09:53:18 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jerry James wrote:
> > 2008/11/7 yersinia <yersinia.spiros at gmail.com>:
> >> Do look useful this docu ?
> >>
> >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
> >
> > Thank you. That is a very useful document. However, it does not
> > appear to answer my question. I need a non-default security context
> > for binaries that are both built and executed in the %build script,
> > when the policy module has not yet been installed. It appears to me
> > that there are only two ways to accomplish this: keep abusing
> > java_exec_t like I have been, or get a GCL policy incorporated into
> > selinux-policy* prior to building GCL. Am I wrong? Is there some
> > other option? Does anyone have any guidance to offer me on which
> > option to pursue? Thanks,
> I would go with the chcon solution you have but instead of hard coding
> the java_exec_t, I would execute
>
> You can get the context of the final destination of the file using
>
> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl
>
> Which seems to be a fine way of doing. this.
Indeed, but it needs the context type for /usr/bin/gcl to be set to
java_exec_t or equivalent in the selinux-policy package before it'll
work.
Paul.
More information about the fedora-devel-list
mailing list