If I remember correctly, someone posted a guideline to make a RPM package which contains binary security policy, several weeks ago.
If you know the URL, would you tell me the location?
There is a draft guide at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
Thanks, so much!
I have a comment for the Policy Module Packaging Guideline.
The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet.
When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out.
I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
---------------- %triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi ----------------
If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading.
Thanks,
By the way, I'm seeking sponsors who can review SE-PostgreSQL package.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
If you can volunteer the reviewing process, please contact me.
Thanks,
If I remember correctly, someone posted a guideline to make a RPM package which contains binary security policy, several weeks ago.
If you know the URL, would you tell me the location?
There is a draft guide at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
Thanks, so much!
I have a comment for the Policy Module Packaging Guideline.
The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet.
When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out.
I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
%triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi
If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading.
Thanks,
-- KaiGai Kohei kaigai@kaigai.gr.jp
KaiGai Kohei wrote:
If I remember correctly, someone posted a guideline to make a RPM package which contains binary security policy, several weeks ago.
If you know the URL, would you tell me the location?
There is a draft guide at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
Thanks, so much!
I have a comment for the Policy Module Packaging Guideline.
The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet.
When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out.
I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
%triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi
If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading.
Looks sane to me though it would be nice if there was some way of expressing this once rather than duplicate it for each policy type. Can't think of any way of doing that though.
Paul.
Paul Howarth wrote:
KaiGai Kohei wrote:
If I remember correctly, someone posted a guideline to make a RPM package which contains binary security policy, several weeks ago.
If you know the URL, would you tell me the location?
There is a draft guide at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
Thanks, so much!
I have a comment for the Policy Module Packaging Guideline.
The document says every *.pp files should be installed for any sort of policies (targeted, strict, mls) in the %post section. However, it can cause a problem when a part of policies are not installed yet.
When we try to install an application including policy package on the system which has only targeted policy, installation of *.pp files for strict/mls will be failed no need to say. If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files are not linked automatically because "/usr/bin/semodule -i" is not invoked. It will cause a simple problem, but a bit difficult to find out.
I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
%triggerin -- selinux-policy-targeted if [ $0 -eq 1 ]; then /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-strict if [ $0 -eq 1 ]; then /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : fi %triggerin -- selinux-policy-mls if [ $0 -eq 1 ]; then /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : fi
If the application is installed on the system which already has selinux-policy-strict, "%triggerin -- selinux-policy-strict" will be invoked just when the application is installed, so there is no degrading.
Looks sane to me though it would be nice if there was some way of expressing this once rather than duplicate it for each policy type. Can't think of any way of doing that though.
I tried to find a way to describe it once without a duplication, but I could not get a good idea.
If we can describe them like as "%triggerin -- selinux-policy-*", it's better. Please tell me, if anyone knows more appropriate way to describe.
Thanks, -- KaiGai Kohei kaigai@kaigai.gr.jp
selinux@lists.fedoraproject.org