SELinux Module Packaging in FC5

Paul Howarth paul at city-fan.org
Fri May 26 13:29:27 UTC 2006


Daniel J Walsh wrote:
> Paul Howarth wrote:
>> *** post-install scriptlet installs policy modules and fixes contexts:
>>
>> %if %{selinux_module}
>> %post
>> # Install SELinux policy modules
>> if [ -x /usr/sbin/semodule ]; then
>>   for selinuxvariant in %{selinux_variants}
>>   do
>>     /usr/sbin/semodule -s ${selinuxvariant} -i \
>>       %{_datadir}/selinux/${selinuxvariant}/contagged.pp \
>>         &> /dev/null || :
>>   done
>> fi
> Does this fail silently if the policy package is not installed?

I believe semodule will output "semodule:  SELinux policy is not managed 
or store cannot be accessed.", hence the redirection of all output to 
/dev/null and the "|| :" to ignore the semodule exit code.

>> # Fix up non-standard directory context
>> [ -x /sbin/restorecon ] && /sbin/restorecon \
>>   %{_localstatedir}/cache/contagged || :
>> %endif
>>
>>
>> *** pre-uninstall script removes policy modules (and removes app's 
>> cache, not SELinux-related)):
>>
>> %postun
>> # Clean up after package removal
>> if [ $1 -eq 0 ]; then
>>   # Clean out the cache
>>   %{__rm} -f %{_localstatedir}/cache/contagged/*.tpl.php
>>   /bin/rmdir %{_localstatedir}/cache/contagged &> /dev/null || :
>> %if %{selinux_module}
>>   # Remove SELinux policy modules
>>   if [ -x /usr/sbin/semodule ]; then
>>     for selinuxvariant in %{selinux_variants}
>>     do
>>       /usr/sbin/semodule -s ${selinuxvariant} -r contagged || :
>>     done
>>   fi
> You might need to fixup contexts here also, if you leave anything behind.

Good point. So in this case I'd need:

/sbin/restorecon -Rh %{_localstatedir}/cache/contagged || :

>> Dan also comments in #190561 that "ou only need to install it with 
>> semodule, you do not need to intall the pp file"; I don't get this, as 
>> how will semodule be able to access the .pp file if it isn't installed 
>> with the package...
> Sorry you are right.  The only thing is you should not put the pp file 
> in /usr/share/selinux/VARIANT, as the current policy package does a 
> semodule -i of all pp files in that directory.  (Which I should really 
> change)  So if someone does a semodule -r later, the policy upgrade will 
> reinstall.

Ah, I saw the clamav.pp in there and assumed it was from an Extras 
package but it's not. There probably needs to be a separate hierarchy 
for package modules then, perhaps:

/usr/share/selinux/packages/VARIANT/

and the .pp files go in there. And if it's the same .pp file for all 
variants, it would go in /usr/share/selinux/packages/share/ instead.

> My point about the pp file, is that you do not need to leave it on disk 
> or even use it again after it has been installed.  As a matter of fact 
> semodule copies the pp file to
> /etc/selinux/VARIANT/modules/active/modules/

 From a package management point of view, it's probably best (and 
certainly easiest) to just install it as a regular file and then it'll 
get removed if the package is removed. It's not as if it's saving a huge 
amount of disk space.

Paul.




More information about the fedora-selinux-list mailing list