Looking for the right, but easy way to add SELinux setup into my package/RPM

Daniel J Walsh dwalsh at redhat.com
Tue Feb 18 14:34:32 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/18/2014 08:55 AM, Fulko Hew wrote:
> 
> 
> On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh at redhat.com 
> <mailto:dwalsh at redhat.com>> wrote:
> 
> On 02/14/2014 09:17 AM, Fulko Hew wrote:
>> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>
>> On 02/14/2014 08:42 AM, Fulko Hew wrote:
>>> I made a package a long time ago, and over the years I've been adding 
>>> new features, but the correct? support of SELinux has always eluded
>>> me. Occasionally I encounter problems with new versions of Fedora and
>>> RHEL. Recently I was asked to support the installation of my RPM on
>>> RHEL 6 systems, and I find that there are new SELinux
>>> feature/requirements.
>>> 
>>> Its probably me, but I haven't found any instructions/how-tos that
>>> have really helped (me) in providing the steps for testing and making
>>> a package SELinux compatible.  I have something that works on older 
>>> releases, but I've probably done it wrong.
>>> 
>>> There's lots of documentation about its concepts, but not anything
>>> that has helped me in porting.
>>> 
>>> Scenario:
>>> 
>>> Given a working RPM (with SELinux disabled)... what would the process
>>> be (with examples) of turning SELinux on, attempting to install and run
>>> the various applications, viewing security logs, and turning any
>>> errors detected into correct config files/commands that can be included
>>> in a spec-file/package.
>>> 
>>> Thanks
>>> 
>>> Fulko
> 
> 
> 
>> SELinux is a labeling system. You need to make sure any content that you 
>> provide to confined services is labeled correctly.  The way you do this
>> is by using a command like semanage fcontext ...  in a post install and
>> then using restorecon to fix the labels.
>> 
>> SELinux also has the concept of booleans which allow users to modify the 
>> policy on the system.  Depending on what you app wants to do you might
>> need to modify a boolean.
>> 
>> Finally SELinux expects network ports to match some defaults.  If you
>> want to change the default Network Port then you have to tell SELinux
>> about this.
>> 
>> semanage port ...
>> 
>> SELinux error messages are stored in /var/log/audit/audit.log and called 
>> avc messages.
>> 
>> ausearch -m avc -ts recent
>> 
>> Can show you recent avc messages that your system received.
>> 
>> For now, my spec file has a bunch of semanage/restorecon command pairs,
>> for such things as:
>> 
>> semanage fcontext -a -t httpd_sys_script_exec_t   myFile semanage
>> fcontext -a -t httpd_sys_rw_content_t    myOtherFile semanage fcontext -a
>> -t httpd_sys_content_t       yetOtherFiles
>> 
>> a) Is this the 'right' way to do it?
>> 
> Well you can combine these into a single transaction, which would speed it
> up.
> 
> semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation 
> boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media 
> boolean -m --on xguest_use_bluetooth _EOF
> 
> This is what the xguest package does.
> 
> 
> I'm sorry, but I don't understand how to map your example into my
> values/example.
> 
> I also have a new problem.  I've been testing against F20 Live (KDE) and
> the package (policycoreutils-python) that provides semanage isn't
> installed so semanage isn't available when my RPM is installed. What is the
> recommended approach?
> 
> a) should I make my package/.spec 'require' policycoreutils-python? (It
> would seem unusual to place that burden on package maintainers.)
Requires(post): policycoreutils-python

> b) Use some other technique to configure/distribute security info. (Is this
> where policy files come into play?) 1. Where can I find a good example of
> how to create policy files given the contents of a .spec

I wrote an article on this several years ago.
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
There is an updated version at access.redhat.com

https://access.redhat.com/site/solutions/117583

sepolicy generate

Is the command I would recommend, on RHEL7 and latest Fedora this will
generate the spec file for you.


> 2. And, what needs to be added to a .spec so that the 'policy' is
> installed?
> 
> 
>> b) an example of the new error/warning is:
>> 
>> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: 
>> denied  { name_connect } for  pid=4517 comm="view_status.pl
> <http://view_status.pl>
>> <http://view_status.pl>" dest=27395 
>> scontext=unconfined_u:system_r:httpd_sys_script_t:s0 
>> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>> 
> Well in a perfect world you would write policy for your cgi script. using
> a tool like sepolgen or sepolicy generate, depending on whether you are
> shipping in RHEL6 or Fedora.
> 
> You could also turn on the httpd_can_network_connect boolean which would
> allow apache processes to connect to any ports.
> 
> 
> I turns out that I did have code in the %post portion of my .spec to set 
> that boolean, but due to a bug on my part, the boolean wasn't being set 
> under certain conditions.
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMDb3gACgkQrlYvE4MpobNPEQCfWkrykqgN8VZIN8/CAH0P7SZf
QEoAnRslVxFj7BdPKAZ9kN3XpsIFJtO6
=ztNc
-----END PGP SIGNATURE-----

More information about the selinux mailing list