<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="">
<br>
<div>On 06/16/2014 01:35 PM, Richard Shaw
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Mon, Jun 16, 2014 at 12:19 PM,
Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> <br>
<div>On 06/12/2014 10:14 AM, Richard Shaw wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Jun 12, 2014
at 6:56 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>The full unifi software
is java with a mongodb
database backend and works
fine. I have a RPM I
created, the only problem
I haven't been able to fix
is the selinux issues, one
for the private mongodb
instance, and then the
ports it binds to. </div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Please open a bugzilla for the SELinux
issues.</div>
</blockquote>
<div><br>
</div>
<div>Before I open a BZ, here's what I have
in my spec file which from what I
understand should be persistent...</div>
<div><br>
</div>
<div>
<div>%posttrans</div>
<div>/usr/sbin/semanage fcontext -e
/var/lib/mongod
"/var/lib/unifi/logs(/.*)?"</div>
<div>/usr/sbin/semanage fcontext -e
/var/lib/mongod
"/var/lib/unifi/data(/.*)?"</div>
<div>/usr/sbin/semanage port -m -t
mongod_port_t 27117</div>
</div>
<div><br>
</div>
<div>Or should this be handled in a policy?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Richard</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
I think your post install should look like.<br>
<br>
<div>/usr/sbin/semanage fcontext -e /var/log/mongod
"/var/lib/unifi/logs"</div>
<div>/usr/sbin/semanage fcontext -e /var/lib/mongod
"/var/lib/unifi/data"</div>
<div>
<div>/usr/sbin/semanage port -m -t mongod_port_t 27117</div>
<br>
</div>
Don't use the regex. Also I would figure the logs should
be labeled mongod_log_t rather then mongod_lib_t.<br>
</div>
</blockquote>
<div><br>
</div>
<div>What is the concern with regex? </div>
</div>
</div>
</div>
</blockquote>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>It is specific to packaging? Most of the examples I
found online used that method... As far as the label,
since everything is getting dumped in /var/lib I figured
that would be OK. </div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br></div>
Not a concern with regex. it just will not work. The examples you
have seen on line, were not using equivalence. They were using
generic labelling.<br>
<br>
Equivalence tells SELinux to swap the second part of the path with
the first. You code would only match file paths that began with
/var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.log
<div class=""><blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
If this is a standard location for this code, we should
put it into the base package.</div>
</blockquote>
<div><br>
</div>
<div>There is not a standard install location, the install
will "work" as long as everything stays in the same
relative location (the unifi directory). Since it writes a
lot of stuff I figured /var was the best (only?) real
option. </div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote></div>
Yes<div class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Following the example of a draft wiki I can't find
anymore I had modified the scripts to this instead of
using %posttrans:</div>
<div>
<div>%post</div>
<div>semanage fcontext -a -t mongod_var_lib_t \<br>
</div>
<div> "%{_sharedstatedir}/unifi/logs(/.*)?"
2>/dev/null || :</div>
<div>semanage fcontext -a -t mongod_var_lib_t \</div>
<div> "%{_sharedstatedir}/unifi/data(/.*)?"
2>/dev/null || :</div>
<div>restorecon -R %{_sharedstatedir}/unifi/logs || :</div>
<div>restorecon -R %{_sharedstatedir}/unifi/data || :</div>
<div>semanage port -m -t mongod_port_t 27117 || :</div>
<div><br>
</div>
<div>%postun<br>
</div>
<div>if [ $1 -eq 0 ] ; then # final removal<br>
</div>
<div>semanage fcontext -d -t mongod_var_lib_t \</div>
<div> "%{_sharedstatedir}/unifi/logs(/.*)?"
2>/dev/null || :</div>
<div>semanage fcontext -d -t mongod_var_lib_t \</div>
<div> "%{_sharedstatedir}/unifi/data(/.*)?"
2>/dev/null || :</div>
<div>fi</div>
</div>
<div><br>
</div>
<div><br></div></div></div></div>
</blockquote></div>
That should work. You could speed it up by combining both semange
fcontext lines into a single transaction. Something like.<br>
<br>
semanage -S targeted -i - << _EOF<div class=""><br>
fcontext -a -t mongod_var_lib_t
"%{_sharedstatedir}/unifi/logs(/.*)?"
</div><div class=""><div>fcontext -a -t mongod_var_lib_t
"%{_sharedstatedir}/unifi/data(/.*)?"<br>
</div></div>
_EOF 2>/dev/null || :<br></div></blockquote><div><br></div><div>Ok, just to be clear, I still need to remove the (/.*)? parts? I found the packaging draft I referred to:</div><div><br></div><div><a href="http://fedoraproject.org/wiki/PackagingDrafts/SELinux">http://fedoraproject.org/wiki/PackagingDrafts/SELinux</a><br>
</div><div><br></div><div>Which shows including it.</div><div><br></div><div>Thanks,</div><div>Richard</div></div></div></div>