[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5

Stephen Smalley wrote:
On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
Is there any documentation anywhere on including SELinux Policy Modules in packages (e.g. for Extras) in FC5? For instance, is there a directory where modules can be dropped into so that they get picked up aotomatically? Where should they live?

Yes, this would be useful to document in the Fedora SELinux wiki.
Ideally, policy for a given software package should live in its own
package on which the software package depends so that the package
manager will install (and thus load) the policy before it tries to
unpack the software package (thereby ensuring that any necessary file
types are already defined in the kernel policy), e.g. package foo would
depend on foo-policy.  Not certain where the foo-policy package should
drop its policy module, possibly under /usr/share/selinux/foo, and then
it can install it by running semodule -i from its %post scriptlet.

I've tried this and it doesn't quite work as I expected.

I have a main package "contagged" and a subpackage "contagged-policy".

The "contagged" packages has:

Requires:       contagged-policy = %{version}-%{release}
Requires(pre):  contagged-policy = %{version}-%{release}

This ensures that the policy package is installed before the main package, and hangs around as long as the main package itself.

The policy package dumps policy in %{_datadir}/selinux/packages/contagged and uses scriptlets to handle module insertion and removal:

%post policy
[ -x /usr/sbin/semodule ] && /usr/sbin/semodule -i %{_datadir}/selinux/packages/contagged/contagged.pp || :

%postun policy
[ $1 -eq 0 ] && [ -x /usr/sbin/semodule ] && /usr/sbin/semodule -r contagged || :

The only thing the policy module is actually doing is specifying a file context in contagged.fc:

/var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)

If contagged-policy is installed first, and then the contagged package is installed (separate rpm transactions), the file contexts get set up as expected. However, if both are done in the same RPM transaction, the packages get installed in the right order (and there is a noticeable delay after installing the policy subpackage where semodule is being called) but the context for directory /var/cache/contagged is left as system_u:object_r:var_t. I suspect that the reason for this is that rpm installs the files for all packages in the transaction and sets their file contexts before running (presumably in order) the %post scripts for the packages.

This rather defeats the purpose of having the separate -policy package, since I need to use restorecon to fix the file contexts at post-install time in case both packages are installed in the same transaction (a likely scenario). I could do this equally well using a single package, but it's untidy (I have to specify the pathnames that need non-standard contexts in both the .fc policy file and as an argument to restorecon in %post). I really prefer the separate package solution, but I think that would need changes in rpm, which might be hard to get done.

Any thoughts?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]