Looking for the right, but easy way to add SELinux setup into my package/RPM
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 18 14:34:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/18/2014 08:55 AM, Fulko Hew wrote:
>
>
> On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
> On 02/14/2014 09:17 AM, Fulko Hew wrote:
>> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>
>> On 02/14/2014 08:42 AM, Fulko Hew wrote:
>>> I made a package a long time ago, and over the years I've been adding
>>> new features, but the correct? support of SELinux has always eluded
>>> me. Occasionally I encounter problems with new versions of Fedora and
>>> RHEL. Recently I was asked to support the installation of my RPM on
>>> RHEL 6 systems, and I find that there are new SELinux
>>> feature/requirements.
>>>
>>> Its probably me, but I haven't found any instructions/how-tos that
>>> have really helped (me) in providing the steps for testing and making
>>> a package SELinux compatible. I have something that works on older
>>> releases, but I've probably done it wrong.
>>>
>>> There's lots of documentation about its concepts, but not anything
>>> that has helped me in porting.
>>>
>>> Scenario:
>>>
>>> Given a working RPM (with SELinux disabled)... what would the process
>>> be (with examples) of turning SELinux on, attempting to install and run
>>> the various applications, viewing security logs, and turning any
>>> errors detected into correct config files/commands that can be included
>>> in a spec-file/package.
>>>
>>> Thanks
>>>
>>> Fulko
>
>
>
>> SELinux is a labeling system. You need to make sure any content that you
>> provide to confined services is labeled correctly. The way you do this
>> is by using a command like semanage fcontext ... in a post install and
>> then using restorecon to fix the labels.
>>
>> SELinux also has the concept of booleans which allow users to modify the
>> policy on the system. Depending on what you app wants to do you might
>> need to modify a boolean.
>>
>> Finally SELinux expects network ports to match some defaults. If you
>> want to change the default Network Port then you have to tell SELinux
>> about this.
>>
>> semanage port ...
>>
>> SELinux error messages are stored in /var/log/audit/audit.log and called
>> avc messages.
>>
>> ausearch -m avc -ts recent
>>
>> Can show you recent avc messages that your system received.
>>
>> For now, my spec file has a bunch of semanage/restorecon command pairs,
>> for such things as:
>>
>> semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage
>> fcontext -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a
>> -t httpd_sys_content_t yetOtherFiles
>>
>> a) Is this the 'right' way to do it?
>>
> Well you can combine these into a single transaction, which would speed it
> up.
>
> semanage -S targeted -i - << _EOF boolean -m --on allow_polyinstantiation
> boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media
> boolean -m --on xguest_use_bluetooth _EOF
>
> This is what the xguest package does.
>
>
> I'm sorry, but I don't understand how to map your example into my
> values/example.
>
> I also have a new problem. I've been testing against F20 Live (KDE) and
> the package (policycoreutils-python) that provides semanage isn't
> installed so semanage isn't available when my RPM is installed. What is the
> recommended approach?
>
> a) should I make my package/.spec 'require' policycoreutils-python? (It
> would seem unusual to place that burden on package maintainers.)
Requires(post): policycoreutils-python
> b) Use some other technique to configure/distribute security info. (Is this
> where policy files come into play?) 1. Where can I find a good example of
> how to create policy files given the contents of a .spec
I wrote an article on this several years ago.
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
There is an updated version at access.redhat.com
https://access.redhat.com/site/solutions/117583
sepolicy generate
Is the command I would recommend, on RHEL7 and latest Fedora this will
generate the spec file for you.
> 2. And, what needs to be added to a .spec so that the 'policy' is
> installed?
>
>
>> b) an example of the new error/warning is:
>>
>> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:
>> denied { name_connect } for pid=4517 comm="view_status.pl
> <http://view_status.pl>
>> <http://view_status.pl>" dest=27395
>> scontext=unconfined_u:system_r:httpd_sys_script_t:s0
>> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>>
> Well in a perfect world you would write policy for your cgi script. using
> a tool like sepolgen or sepolicy generate, depending on whether you are
> shipping in RHEL6 or Fedora.
>
> You could also turn on the httpd_can_network_connect boolean which would
> allow apache processes to connect to any ports.
>
>
> I turns out that I did have code in the %post portion of my .spec to set
> that boolean, but due to a bug on my part, the boolean wasn't being set
> under certain conditions.
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMDb3gACgkQrlYvE4MpobNPEQCfWkrykqgN8VZIN8/CAH0P7SZf
QEoAnRslVxFj7BdPKAZ9kN3XpsIFJtO6
=ztNc
-----END PGP SIGNATURE-----
More information about the selinux
mailing list