SELinux Module Packaging in FC5
Paul Howarth
paul at city-fan.org
Fri May 26 13:29:27 UTC 2006
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> *** post-install scriptlet installs policy modules and fixes contexts:
>>
>> %if %{selinux_module}
>> %post
>> # Install SELinux policy modules
>> if [ -x /usr/sbin/semodule ]; then
>> for selinuxvariant in %{selinux_variants}
>> do
>> /usr/sbin/semodule -s ${selinuxvariant} -i \
>> %{_datadir}/selinux/${selinuxvariant}/contagged.pp \
>> &> /dev/null || :
>> done
>> fi
> Does this fail silently if the policy package is not installed?
I believe semodule will output "semodule: SELinux policy is not managed
or store cannot be accessed.", hence the redirection of all output to
/dev/null and the "|| :" to ignore the semodule exit code.
>> # Fix up non-standard directory context
>> [ -x /sbin/restorecon ] && /sbin/restorecon \
>> %{_localstatedir}/cache/contagged || :
>> %endif
>>
>>
>> *** pre-uninstall script removes policy modules (and removes app's
>> cache, not SELinux-related)):
>>
>> %postun
>> # Clean up after package removal
>> if [ $1 -eq 0 ]; then
>> # Clean out the cache
>> %{__rm} -f %{_localstatedir}/cache/contagged/*.tpl.php
>> /bin/rmdir %{_localstatedir}/cache/contagged &> /dev/null || :
>> %if %{selinux_module}
>> # Remove SELinux policy modules
>> if [ -x /usr/sbin/semodule ]; then
>> for selinuxvariant in %{selinux_variants}
>> do
>> /usr/sbin/semodule -s ${selinuxvariant} -r contagged || :
>> done
>> fi
> You might need to fixup contexts here also, if you leave anything behind.
Good point. So in this case I'd need:
/sbin/restorecon -Rh %{_localstatedir}/cache/contagged || :
>> Dan also comments in #190561 that "ou only need to install it with
>> semodule, you do not need to intall the pp file"; I don't get this, as
>> how will semodule be able to access the .pp file if it isn't installed
>> with the package...
> Sorry you are right. The only thing is you should not put the pp file
> in /usr/share/selinux/VARIANT, as the current policy package does a
> semodule -i of all pp files in that directory. (Which I should really
> change) So if someone does a semodule -r later, the policy upgrade will
> reinstall.
Ah, I saw the clamav.pp in there and assumed it was from an Extras
package but it's not. There probably needs to be a separate hierarchy
for package modules then, perhaps:
/usr/share/selinux/packages/VARIANT/
and the .pp files go in there. And if it's the same .pp file for all
variants, it would go in /usr/share/selinux/packages/share/ instead.
> My point about the pp file, is that you do not need to leave it on disk
> or even use it again after it has been installed. As a matter of fact
> semodule copies the pp file to
> /etc/selinux/VARIANT/modules/active/modules/
From a package management point of view, it's probably best (and
certainly easiest) to just install it as a regular file and then it'll
get removed if the package is removed. It's not as if it's saving a huge
amount of disk space.
Paul.
More information about the fedora-selinux-list
mailing list