<font face="courier new,monospace"><br></font><br><div class="gmail_quote">On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
</div><div class="">On 02/14/2014 09:17 AM, Fulko Hew wrote:<br>
> On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a><br>
</div><div class="">
> On 02/14/2014 08:42 AM, Fulko Hew wrote:<br>
>> I made a package a long time ago, and over the years I've been adding<br>
>> new features, but the correct? support of SELinux has always eluded me.<br>
>> Occasionally I encounter problems with new versions of Fedora and RHEL.<br>
>> Recently I was asked to support the installation of my RPM on RHEL 6<br>
>> systems, and I find that there are new SELinux feature/requirements.<br>
>><br>
>> Its probably me, but I haven't found any instructions/how-tos that have<br>
>> really helped (me) in providing the steps for testing and making a<br>
>> package SELinux compatible. I have something that works on older<br>
>> releases, but I've probably done it wrong.<br>
>><br>
>> There's lots of documentation about its concepts, but not anything that<br>
>> has helped me in porting.<br>
>><br>
>> Scenario:<br>
>><br>
>> Given a working RPM (with SELinux disabled)... what would the process be<br>
>> (with examples) of turning SELinux on, attempting to install and run the<br>
>> various applications, viewing security logs, and turning any errors<br>
>> detected into correct config files/commands that can be included in a<br>
>> spec-file/package.<br>
>><br>
>> Thanks<br>
>><br>
>> Fulko<br></div></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
> SELinux is a labeling system. You need to make sure any content that you<br>
> provide to confined services is labeled correctly. The way you do this is<br>
> by using a command like semanage fcontext ... in a post install and then<br>
> using restorecon to fix the labels.<br>
><br>
> SELinux also has the concept of booleans which allow users to modify the<br>
> policy on the system. Depending on what you app wants to do you might need<br>
> to modify a boolean.<br>
><br>
> Finally SELinux expects network ports to match some defaults. If you want<br>
> to change the default Network Port then you have to tell SELinux about<br>
> this.<br>
><br>
> semanage port ...<br>
><br>
> SELinux error messages are stored in /var/log/audit/audit.log and called<br>
> avc messages.<br>
><br>
> ausearch -m avc -ts recent<br>
><br>
> Can show you recent avc messages that your system received.<br>
><br>
> For now, my spec file has a bunch of semanage/restorecon command pairs, for<br>
> such things as:<br>
><br>
> semanage fcontext -a -t httpd_sys_script_exec_t myFile semanage fcontext<br>
> -a -t httpd_sys_rw_content_t myOtherFile semanage fcontext -a -t<br>
> httpd_sys_content_t yetOtherFiles<br>
><br>
> a) Is this the 'right' way to do it?<br>
><br>
</div>Well you can combine these into a single transaction, which would speed it up.<br>
<br>
semanage -S targeted -i - << _EOF<br>
boolean -m --on allow_polyinstantiation<br>
boolean -m --on xguest_connect_network<br>
boolean -m --on xguest_mount_media<br>
boolean -m --on xguest_use_bluetooth<br>
_EOF<br>
<br>
This is what the xguest package does.<br><div class=""></div></blockquote><div><font face="courier new,monospace"><br>I'm sorry, but I don't understand how to map your example into my values/example.<br><br>I also have a new problem. I've been testing against F20 Live (KDE) and the<br>
package (policycoreutils-python) that provides semanage isn't installed<br>so semanage isn't available when my RPM is installed.<br>What is the recommended approach?<br><br>a) should I make my package/.spec 'require' policycoreutils-python?<br>
(It would seem unusual to place that burden on package maintainers.)<br>b) Use some other technique to configure/distribute security info.<br> (Is this where policy files come into play?)<br> 1. Where can I find a good example of how to create policy files<br>
given the contents of a .spec<br> 2. And, what needs to be added to a .spec so that the 'policy' is installed?<br><br></font><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
> b) an example of the new error/warning is:<br>
><br>
> Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:<br>
> denied { name_connect } for pid=4517 comm="<a href="http://view_status.pl" target="_blank">view_status.pl</a><br>
</div>> <<a href="http://view_status.pl" target="_blank">http://view_status.pl</a>>" dest=27395<br>
<div class="">> scontext=unconfined_u:system_r:httpd_sys_script_t:s0<br>
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket<br>
><br>
</div>Well in a perfect world you would write policy for your cgi script. using a<br>
tool like sepolgen or sepolicy generate, depending on whether you are shipping<br>
in RHEL6 or Fedora.<br>
<br>
You could also turn on the httpd_can_network_connect boolean which would allow<br>
apache processes to connect to any ports.<br></blockquote><div><span style="font-family:courier new,monospace"><br>I turns out that I did have code in the %post portion of my .spec to set<br>that boolean, but due to a bug on my part, the boolean wasn't being set<br>
under certain conditions.<br> </span><br></div></div>