[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to get an SELinux policy change

Hash: SHA1

Paul Howarth wrote:
> On Fri, 07 Nov 2008 09:53:18 -0500
> Daniel J Walsh <dwalsh redhat com> wrote:
>> Hash: SHA1
>> Jerry James wrote:
>>> 2008/11/7 yersinia <yersinia spiros gmail com>:
>>>> Do look useful this docu ?
>>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>>> Thank you.  That is a very useful document.  However, it does not
>>> appear to answer my question.  I need a non-default security context
>>> for binaries that are both built and executed in the %build script,
>>> when the policy module has not yet been installed.  It appears to me
>>> that there are only two ways to accomplish this: keep abusing
>>> java_exec_t like I have been, or get a GCL policy incorporated into
>>> selinux-policy* prior to building GCL.  Am I wrong?  Is there some
>>> other option?  Does anyone have any guidance to offer me on which
>>> option to pursue?  Thanks,
>> I would go with the chcon solution you have but instead of hard coding
>> the java_exec_t, I would execute
>> You can get the context of the final destination of the file using
>> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl
>> Which seems to be a fine way of doing. this.
> Indeed, but it needs the context type for /usr/bin/gcl to be set to
> java_exec_t or equivalent in the selinux-policy package before it'll
> work.
> Paul.

+/usr/bin/gcl 		       --	gen_context(system_u:object_r:execmem_exec_t,s0)

Will be in selinux-policy-3.5.13-19.fc10
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]