[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to get an SELinux policy change



On Fri, 07 Nov 2008 09:53:18 -0500
Daniel J Walsh <dwalsh redhat com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jerry James wrote:
> > 2008/11/7 yersinia <yersinia spiros gmail com>:
> >> Do look useful this docu ?
> >>
> >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
> > 
> > Thank you.  That is a very useful document.  However, it does not
> > appear to answer my question.  I need a non-default security context
> > for binaries that are both built and executed in the %build script,
> > when the policy module has not yet been installed.  It appears to me
> > that there are only two ways to accomplish this: keep abusing
> > java_exec_t like I have been, or get a GCL policy incorporated into
> > selinux-policy* prior to building GCL.  Am I wrong?  Is there some
> > other option?  Does anyone have any guidance to offer me on which
> > option to pursue?  Thanks,
> I would go with the chcon solution you have but instead of hard coding
> the java_exec_t, I would execute
> 
> You can get the context of the final destination of the file using
> 
> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl
> 
> Which seems to be a fine way of doing. this.

Indeed, but it needs the context type for /usr/bin/gcl to be set to
java_exec_t or equivalent in the selinux-policy package before it'll
work.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]