[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Making Fedora a contributer friendly environment



On Wed, 2007-05-09 at 17:25 +0200, Till Maas wrote:
> On Mi Mai 9 2007, Karl MacMillan wrote:
> 
> > It's not and for applications like this you aren't likely to avoid
> > executing writable memory. You should set the context correctly to allow
> > executable memory (chcon -t unconfined_execmem_exec_t). Eventually we
> > should avoid hard-coding contexts in the rpms but there is currently no
> > better solution.
> 
> There are some drafts in:
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
> 
> Which at least make these changes persistent.

Persistent is not quite right - using semanage (or a policy module)
makes the changes survive a full relabel of the system. A chcon is
persistent (across reboots and such) until the context is explicitly
changed.

>  As far as I understand selinux, 
> when someone disables it, all the contexts that were created in %post with 
> chcon are lost.

Not quite - disabling doesn't lose any contexts. The problem is that
during the normal course of running the system some file labels are
changed or files are created without a label.

When selinux is turned on again a full relabel of the filesystem is done
to correct these problems. If the custom file context wasn't added to
the database of file contexts (via a module or semanage) the file is set
to the default label.

>  Also I am not sure, whether or not they get lost, after an 
> policy-update, but I think I saw this happen once. The method descibed in the 
> PackagingDraft which I followed with the following files:
> 
> VirtualBox-OSE.te
> policy_module(VirtualBox-OSE, 1.0.0)
> 
> VirtualBox-OSE.fc
> @VBOXINSTDIR@/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> 
> and the scriptlets there, at least works, but it is imho much to complicated. 

This is only needed if you have a policy for that application. Just to
change a file context it seems unnecessary. Semanage should be workable.

> And when using semanage it is afaik impossible to change a 
> selinux-configuration or remove it, because of the ordering 
> of %post(un) %pre(un).
> 

Not sure what you mean - you should be able to run semanage in a post.
Perhaps you should also need to do chcon (as opposed to restorecon)
because the command may not have run before the file was created.

> In conlusion, there should first be some methods and (better (documented)) rpm 
> support, before demanding that all packages should support selinux. E.g. what 
> does "%policy" in "%files" do?
> 

I agree that those packaging guidelines should be reviewed, improved
where necessary, and adopted. However, most packages do not need any
special selinux support.

Paul / Dan - how should we proceed with those guidelines.

Karl

> Regards,
> Till
> 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]