<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 5, 2014 at 9:05 PM, Adam Williamson <span dir="ltr"><<a href="mailto:awilliam@redhat.com" target="_blank">awilliam@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Wed, 2014-02-05 at 13:24 -0600, Richard Shaw wrote:<br>
> Are there official guidelines on how to handle selinux contexts in<br>
> packaging? I can still only find the draft which seems way more<br>
> complicated than necessary for my needs.<br>
><br>
><br>
> I'm working on a package that uses mongodb internally (runs it's own<br>
> instance).<br>
<br>
</div>Does it *contain* its own copy of mongodb or just *run the system copy*<br>
in a special way?</blockquote><div><br></div><div>It runs an instance of the system mongodb via a symbolic link within it's own bin folder (the symbolic link being the only thing in the bin folder).</div><div><br></div>
<div>I guess I was intentionally not saying what software I was packaging because it's not FOSS... It's the controller for Ubiquity and it's java based. It will have to go into RPM Fusion non-free but if you have one of their access points I haven't found any other way to configure them. I think it's preferable to have the controller on your own Fedora/RHEL server than be forced to run it in a windows VM.</div>
<div><br></div><div>It runs "self-contained" except for the symbolic link to the mongod executable.</div><div><br></div><div>I tried splitting it up between /usr/shared/unifi for the static bits and symlink over to /var/lib/unifi for the writable bits but it was getting way too complicated for me, so for now I have everything going into /var/lib/unifi. I adopted and modified a systemd service file and have it working well with selinux in permissive mode running as its own user (unifi).</div>
<div><br></div><div>I just really don't know enough about selinux to put together a policy for it, though I've been doing some reading today along those lines.</div><div><br></div><div>One interesting part is it uses port 8080 which it redirects to 8443 for a secure connection, which seems to work ok, but the default db port is 27117 which is in unreserverd_port_t... I assume I need to grab that for mongod?</div>
<div><br></div><div>Thanks,</div><div>Richard</div></div></div></div>