Hi,
I would like to ask a couple of questions regarding
SELinux configurations:
1) is it valid to change SELinux booleans from within a
specfile (via scripts/triggers) ?
2) and adding local rules and make selinux reload
them (also via scripts/triggers)?
In my particular case - the package syslog-ng [1] - needs
to activate the "use_syslogng" SELinux boolean that
exists only after selinux-policy-targeted >= 1.17.30-2.96
(to be correct the boolean exists after release 2.90 but
the rules are more useful/correct after release 2.96 [2]).
I have done the following changes to the base specfile
but I am wondering if they are valid? I remember
reading something a while back that packages *should not*
change SELinux configurations.
-----------------------------------------------------------
...
# SELinux (Fedora Core 3)
Requires(preun): libselinux
Requires(post): libselinux
Requires: selinux-policy-targeted >= 1.17.30-2.96
...
%post
if [ $1 = 1 ]; then
setsebool -P use_syslogng 1
...
fi
%preun
if [ $1 = 0 ]; then
...
setsebool -P use_syslogng 0
fi
...
-----------------------------------------------------------
Feedback would be appreciated.
Thanks in advance,
jpo
References:
[1] Bug 1332 - syslog-ng is a sysklogd replacement
https://bugzilla.fedora.us/show_bug.cgi?id=1332
[2] Fedora Core 3, SELinux, and syslog-ng
See comment #33 of the above ticket
--
José Pedro Oliveira
* mailto: jpo(a)di.uminho.pt *
http://gsd.di.uminho.pt/~jpo *
* gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *