<font face="courier new,monospace"><br></font><br><div class="gmail_quote">On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div><div class="h5"><br>
On 02/14/2014 08:42 AM, Fulko Hew wrote:<br>
> I made a package a long time ago, and over the years I've been adding new<br>
> features, but the correct? support of SELinux has always eluded me.<br>
> Occasionally I encounter problems with new versions of Fedora and RHEL.<br>
> Recently I was asked to support the installation of my RPM on RHEL 6<br>
> systems, and I find that there are new SELinux feature/requirements.<br>
><br>
> Its probably me, but I haven't found any instructions/how-tos that have<br>
> really helped (me) in providing the steps for testing and making a package<br>
> SELinux compatible. I have something that works on older releases, but<br>
> I've probably done it wrong.<br>
><br>
> There's lots of documentation about its concepts, but not anything that has<br>
> helped me in porting.<br>
><br>
> Scenario:<br>
><br>
> Given a working RPM (with SELinux disabled)... what would the process be<br>
> (with examples) of turning SELinux on, attempting to install and run the<br>
> various applications, viewing security logs, and turning any errors<br>
> detected into correct config files/commands that can be included in a<br>
> spec-file/package.<br>
><br>
> Thanks<br>
><br>
> Fulko<br>
><br>
><br>
><br>
</div></div>> -- selinux mailing list <a href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
SELinux is a labeling system. You need to make sure any content that you<br>
provide to confined services is labeled correctly. The way you do this is by<br>
using a command like semanage fcontext ... in a post install and then using<br>
restorecon to fix the labels.<br>
<br>
SELinux also has the concept of booleans which allow users to modify the<br>
policy on the system. Depending on what you app wants to do you might need to<br>
modify a boolean.<br>
<br>
Finally SELinux expects network ports to match some defaults. If you want to<br>
change the default Network Port then you have to tell SELinux about this.<br>
<br>
semanage port ...<br>
<br>
SELinux error messages are stored in /var/log/audit/audit.log and called avc<br>
messages.<br>
<br>
ausearch -m avc -ts recent<br>
<br>
Can show you recent avc messages that your system received.<br></blockquote><div><span style="font-family:courier new,monospace"><br>For now, my spec file has a bunch of semanage/restorecon command pairs,<br>for such things as:<br>
<br>semanage fcontext -a -t httpd_sys_script_exec_t myFile<br>semanage fcontext -a -t httpd_sys_rw_content_t myOtherFile <br>semanage fcontext -a -t httpd_sys_content_t yetOtherFiles<br><br>a) Is this the 'right' way to do it?<br>
<br>b) an example of the new error/warning is:<br></span><br><span style="font-family:courier new,monospace">Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc: denied { name_connect } for pid=4517 comm="<a href="http://view_status.pl" target="_blank">view_status.pl</a>" dest=27395 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket<br>
<br></span><span style="font-family:courier new,monospace"><br></span></div></div><br>