Looking for the right, but easy way to add SELinux setup into my package/RPM

Fri Feb 14 14:17:46 UTC 2014

On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/14/2014 08:42 AM, Fulko Hew wrote:
> > I made a package a long time ago, and over the years I've been adding new
> > features, but the correct? support of SELinux has always eluded me.
> > Occasionally I encounter problems with new versions of Fedora and RHEL.
> > Recently I was asked to support the installation of my RPM on RHEL 6
> > systems, and I find that there are new SELinux feature/requirements.
> >
> > Its probably me, but I haven't found any instructions/how-tos that have
> > really helped (me) in providing the steps for testing and making a
> package
> > SELinux compatible.  I have something that works on older releases, but
> > I've probably done it wrong.
> >
> > There's lots of documentation about its concepts, but not anything that
> has
> > helped me in porting.
> >
> > Scenario:
> >
> > Given a working RPM (with SELinux disabled)... what would the process be
> > (with examples) of turning SELinux on, attempting to install and run the
> > various applications, viewing security logs, and turning any errors
> > detected into correct config files/commands that can be included in a
> > spec-file/package.
> >
> > Thanks
> >
> > Fulko
> >
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> SELinux is a labeling system. You need to make sure any content that you
> provide to confined services is labeled correctly.  The way you do this is
> by
> using a command like semanage fcontext ...  in a post install and then
> using
> restorecon to fix the labels.
>
> SELinux also has the concept of booleans which allow users to modify the
> policy on the system.  Depending on what you app wants to do you might
> need to
> modify a boolean.
>
> Finally SELinux expects network ports to match some defaults.  If you want
> to
> change the default Network Port then you have to tell SELinux about this.
>
> semanage port ...
>
> SELinux error messages are stored in /var/log/audit/audit.log and called
> avc
> messages.
>
> ausearch -m avc -ts recent
>
> Can show you recent avc messages that your system received.
>

For now, my spec file has a bunch of semanage/restorecon command pairs,
for such things as:

semanage fcontext -a -t httpd_sys_script_exec_t   myFile
semanage fcontext -a -t httpd_sys_rw_content_t    myOtherFile
semanage fcontext -a -t httpd_sys_content_t       yetOtherFiles

a) Is this the 'right' way to do it?

b) an example of the new error/warning is:

Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:
denied  { name_connect } for  pid=4517 comm="view_status.pl" dest=27395
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140214/145d12cb/attachment.html>