On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
Is there any documentation anywhere on including SELinux Policy
Modules
in packages (e.g. for Extras) in FC5? For instance, is there a directory
where modules can be dropped into so that they get picked up
aotomatically? Where should they live?
Yes, this would be useful to document in the Fedora SELinux wiki.
Ideally, policy for a given software package should live in its own
package on which the software package depends so that the package
manager will install (and thus load) the policy before it tries to
unpack the software package (thereby ensuring that any necessary file
types are already defined in the kernel policy), e.g. package foo would
depend on foo-policy. Not certain where the foo-policy package should
drop its policy module, possibly under /usr/share/selinux/foo, and then
it can install it by running semodule -i from its %post scriptlet.
Consider an example. I have an LDAP-backed addressbook frontend
written
in PHP that runs on apache. So I install the files in /var/www/someplace
in my package and I need to provide an SELinux module that:
* Includes the appropriate file contexts for the application's cache
directory, which needs to be writable by httpd
* Gives httpd permission to contact LDAP servers over the network (i.e.
ports 389 and 636)
Is it possible to turn on the httpd_builtin_scripting boolean from a
module (the app is written in PHP and needs this)? Is it even sensible
to try to do this, or there just be a README.SELinux telling people they
need to do this themselves?
Not sure if enabling the boolean is the right model there vs. "calling"
an interface from your module to enable those rules unconditionally when
your module is loaded, because you want the behavior reverted if/when
your module is removed but other modules might likewise want the same
rules or the admin may have a local customization already. The
foo-policy package could certainly call setsebool -P from %post, but I
doubt that is the right approach.
Should the module be loaded in a %post script?
Yes, but ideally from a foo-policy package on which foo depends, so that
it is loaded before unpacking foo (so that the file contexts can be set
down properly).
Some guidelines would no doubt be appreciated by many people.
--
Stephen Smalley
National Security Agency