On November 23, 2011 11:45 , Dmitry Makovey <dmitry(a)athabascau.ca> wrote:
1. can I set up boolean's value from the policy module?
If your policy module creates a new boolean, yes. But if you are
setting a boolean created by another policy module, you should run
"setsebool -P" from the %post section of your RPM.
2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via
"fixfiles"
after I added policy via:
$ semodule -i foo.pp
Can I create module in a way that upon it's activation it'll relabel all
needed pieces? (I played with semodule's "-d" and "-e" with no
effect)
Make sure that your .fc file properly describes all of the file
contexts. Then, in the %post section of your RPM, run fixfiles and (if
needed) restorecon
/sbin/fixfiles -R myapp restore
/sbin/restorecon -R %{_localstatedir}/var/lib/foo
In other words: no, I don't know of any way to label files when the
policy is loaded, you will need to install the policy module and then
run fixfiles.
3. I have seen several suggestions on how to package and install .pp
files
with RPM:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
vs
http://selinuxproject.org/page/RPM
This is more complicated, but I recommend
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
--
Mark Montague
mark(a)catseye.org