RPM to include SELinux information?
Dmitry Makovey
dmitry at athabascau.ca
Mon Nov 7 23:10:53 UTC 2011
On Monday, November 07, 2011, lists at alderfamily.org wrote:
> I know this doesn't answer your question regarding spec file contents; and
> I see your issue. But you might want to check out the "semanage" command.
> "chcon" isn't going to persist if selinux does a relabel (which happens
> regularly in some environments).
>
> You might want check out the section "5.7.2 Persistent Changes: semanage
> fcontext" here.
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/pdf/Secu
> rity-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Beta-Security-Enhanced_Linux
> -en-US.pdf
thanks Steve! after a bit of browsing around I have compiled a list of
resources (in case others are looking):
* Fedora SELinux documentation <http://fedoraproject.org/wiki/SELinux>
* Fedora SELinux FAQ <http://docs.fedoraproject.org/en-
US/Fedora/13/html/SELinux_FAQ/index.html>
* Fedora's Adding SELinux support to your package
<http://fedoraproject.org/wiki/PackagingDrafts/SELinux>
* RedHat EL6 SELinux Guide <http://docs.redhat.com/docs/en-
US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html>
* Daniel J Walsh Managing RedHat Enterprise Linux
<http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf>
and what I get is that indeed, as you suggested "semanage fcontext" needs to
be worked into the %post and %postun scriplets but it looks... not natural?
After being able to do:
%attr(755,user,group) /blah/foo
adding "semanage fcontext" commands into %post* scriplets is virtually equal
to replacement of %attr invocations with explicit chmod and chown in %post*
sections :(
Reading changelogs for rpm itself (
http://rpm.org/wiki/Releases/4.9.0#SELinuxpolicies ), it sounds like 4.9.0
introduces "...%sepolicy section" while deprecating "%policy". EL6 comes with
rpm-4.8.x. A bit of poking shows:
http://selinuxproject.org/page/RPM#.25policy_section
Does it mean it's applicabe in EL6? SELinux Wiki is referencing Git repo but
fails to mention what would be the corresponding version.
Is it even advisable to use %[se]policy at all (if they are implemented) or
should we use "crutches" in %post* sections? We're starting to switch over to
SELinux enforcement so we've got quite a few packages to go through and would
rather do it "right" and "portable" the first time. Offloading policy
management to RPM rather than scripting things ourselves is something that
would definitely help in the long run.
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20111107/b8efd98a/attachment.sig>
More information about the redhat-sysadmin-list
mailing list