What to do if a package needs a modified SELinux policy?
Jonathan Underwood
jonathan.underwood at gmail.com
Mon May 30 10:35:43 UTC 2011
On 30 May 2011 09:52, Kurt Seifried <kurt at seifried.org> wrote:
> I'm experimenting with a package that needs to have rsyslog write to a
> named fifo pipe (so log data can be handed off from rsyslog to an
> external program). As I see it the options are:
>
> 1) apologize to the user and tell them to disable SELinux (no thanks)
> 2) get Fedora SELinux policy to add an exception (best case scenario I think)
> 3) tell the user how to manually modify policy and update it (which
> might then break the next SELinux policy gets updated/etc.).
>
> Is there any official process/advice for this? Thanks in advance.
I've found in the past that Dan et al., are pretty quick to respond if
you file a bug request asking for a change in policy for packages I
maintain in Fedora.
Of course, there's also a fourth alternative which is to ship a
SElinux module for your application in the package itself. It seems
like there was some work towards a standard for that, which seems to
have stalled:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
J.
More information about the devel
mailing list