[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5



Daniel J Walsh wrote:
Paul Howarth wrote:
*** post-install scriptlet installs policy modules and fixes contexts:

%if %{selinux_module}
%post
# Install SELinux policy modules
if [ -x /usr/sbin/semodule ]; then
  for selinuxvariant in %{selinux_variants}
  do
    /usr/sbin/semodule -s ${selinuxvariant} -i \
      %{_datadir}/selinux/${selinuxvariant}/contagged.pp \
        &> /dev/null || :
  done
fi
Does this fail silently if the policy package is not installed?

I believe semodule will output "semodule: SELinux policy is not managed or store cannot be accessed.", hence the redirection of all output to /dev/null and the "|| :" to ignore the semodule exit code.

# Fix up non-standard directory context
[ -x /sbin/restorecon ] && /sbin/restorecon \
  %{_localstatedir}/cache/contagged || :
%endif


*** pre-uninstall script removes policy modules (and removes app's cache, not SELinux-related)):

%postun
# Clean up after package removal
if [ $1 -eq 0 ]; then
  # Clean out the cache
  %{__rm} -f %{_localstatedir}/cache/contagged/*.tpl.php
  /bin/rmdir %{_localstatedir}/cache/contagged &> /dev/null || :
%if %{selinux_module}
  # Remove SELinux policy modules
  if [ -x /usr/sbin/semodule ]; then
    for selinuxvariant in %{selinux_variants}
    do
      /usr/sbin/semodule -s ${selinuxvariant} -r contagged || :
    done
  fi
You might need to fixup contexts here also, if you leave anything behind.

Good point. So in this case I'd need:

/sbin/restorecon -Rh %{_localstatedir}/cache/contagged || :

Dan also comments in #190561 that "ou only need to install it with semodule, you do not need to intall the pp file"; I don't get this, as how will semodule be able to access the .pp file if it isn't installed with the package...
Sorry you are right. The only thing is you should not put the pp file in /usr/share/selinux/VARIANT, as the current policy package does a semodule -i of all pp files in that directory. (Which I should really change) So if someone does a semodule -r later, the policy upgrade will reinstall.

Ah, I saw the clamav.pp in there and assumed it was from an Extras package but it's not. There probably needs to be a separate hierarchy for package modules then, perhaps:

/usr/share/selinux/packages/VARIANT/

and the .pp files go in there. And if it's the same .pp file for all variants, it would go in /usr/share/selinux/packages/share/ instead.

My point about the pp file, is that you do not need to leave it on disk or even use it again after it has been installed. As a matter of fact semodule copies the pp file to
/etc/selinux/VARIANT/modules/active/modules/

From a package management point of view, it's probably best (and certainly easiest) to just install it as a regular file and then it'll get removed if the package is removed. It's not as if it's saving a huge amount of disk space.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]