RPM to include SELinux information?

Dmitry Makovey dmitry at athabascau.ca
Mon Nov 7 23:10:53 UTC 2011


On Monday, November 07, 2011, lists at alderfamily.org wrote:
> I know this doesn't answer your question regarding spec file contents; and
> I see your issue.  But you might want to check out the "semanage" command.
> "chcon" isn't going to persist if selinux does a relabel (which happens
> regularly in some environments).
> 
> You might want check out the section "5.7.2 Persistent Changes: semanage
> fcontext" here.
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/pdf/Secu
> rity-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Beta-Security-Enhanced_Linux
> -en-US.pdf

thanks Steve! after a bit of browsing around I have compiled a list of 
resources (in case others are looking):

* Fedora SELinux documentation <http://fedoraproject.org/wiki/SELinux>
* Fedora SELinux FAQ <http://docs.fedoraproject.org/en-
US/Fedora/13/html/SELinux_FAQ/index.html>
* Fedora's Adding SELinux support to your package 
<http://fedoraproject.org/wiki/PackagingDrafts/SELinux>
* RedHat EL6 SELinux Guide <http://docs.redhat.com/docs/en-
US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html>
* Daniel J Walsh Managing RedHat Enterprise Linux 
<http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf>

and what I get is that indeed, as you suggested "semanage fcontext" needs to 
be worked into the %post and %postun scriplets but it looks... not natural? 
After being able to do:

%attr(755,user,group) /blah/foo

adding "semanage fcontext" commands into %post* scriplets is virtually equal 
to replacement of %attr invocations with explicit chmod and chown in %post* 
sections :(

Reading changelogs for rpm itself ( 
http://rpm.org/wiki/Releases/4.9.0#SELinuxpolicies ), it sounds like 4.9.0 
introduces "...%sepolicy section" while deprecating "%policy". EL6 comes with 
rpm-4.8.x. A bit of poking shows:

http://selinuxproject.org/page/RPM#.25policy_section

Does it mean it's applicabe in EL6? SELinux Wiki is referencing Git repo but 
fails to mention what would be the corresponding version. 

Is it even advisable to use %[se]policy at all (if they are implemented) or 
should we use "crutches" in %post* sections? We're starting to switch over to 
SELinux enforcement so we've got quite a few packages to go through and would 
rather do it "right" and "portable" the first time. Offloading policy 
management to RPM rather than scripting things ourselves is something that 
would definitely help in the long run.

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
    Woody Allen

When in trouble when in doubt run in circles scream and shout 
     http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20111107/b8efd98a/attachment.sig>


More information about the redhat-sysadmin-list mailing list