9:18 a.m.
Hi,
Been looking around for quite some time and have found very little about
how one is
supposed to create rpm packages with selinux content.
Specifically I'm trying to create a rpm package of trac
http://projects.edgewall.com/trac/.
The Wiki there suggests .fc and .te files for it
http://projects.edgewall.com/trac/wiki/TracWithSeLinux.
How would you recommend I go about this project. Does selinux contain a
system
for plugging in .te and .fc files so contexts are recognized during the
package install or
should I submitt these files for inclusion in the normal policy packages
and wait for it
to hit the fans?
Do anyone have any pointers to best practis in these situations? What
can the .spec file
do in order to keep track of selinux permissions etc.
Thankful for any help,
/Nicke
--
JID nicke(a)im.exinor.net
9:35 a.m.
On Wed, 2005-12-07 at 16:18 +0100, Nicklas Norling wrote:
Been looking around for quite some time and have found very little
about
how one is
supposed to create rpm packages with selinux content.
Specifically I'm trying to create a rpm package of trac
http://projects.edgewall.com/trac/.
The Wiki there suggests .fc and .te files for it
http://projects.edgewall.com/trac/wiki/TracWithSeLinux.
How would you recommend I go about this project. Does selinux contain a
system
for plugging in .te and .fc files so contexts are recognized during the
package install or
should I submitt these files for inclusion in the normal policy packages
and wait for it
to hit the fans?
Do anyone have any pointers to best practis in these situations? What
can the .spec file
do in order to keep track of selinux permissions etc.
Current practice is just to submit patches to the single monolithic
policy to add your .te and .fc files there rather than trying to package
them with your software package. However, FC5 (development) has
incorporated the new support for binary policy modules, which allows
individual .te and .fc files to be precompiled and packaged together and
shipped separate from the base policy package. So it depends on what
you are targeting, e.g. if you are looking ahead to FC5 or just trying
to get things working in FC4.
--
Stephen Smalley
National Security Agency
2:29 p.m.
Nicklas Norling said the following on 07/12/2005 15:18:
Hi,
Been looking around for quite some time and have found very little about
how one is
supposed to create rpm packages with selinux content.
Specifically I'm trying to create a rpm package of trac
http://projects.edgewall.com/trac/.
The Wiki there suggests .fc and .te files for it
http://projects.edgewall.com/trac/wiki/TracWithSeLinux.
How would you recommend I go about this project. Does selinux contain a
system
for plugging in .te and .fc files so contexts are recognized during the
package install or
should I submitt these files for inclusion in the normal policy packages
and wait for it
to hit the fans?
Do anyone have any pointers to best practis in these situations? What
can the .spec file
do in order to keep track of selinux permissions etc.
Nicklas,
One suggestion would be to ensure that the trac repositories are in
/var/www/trac/<project> so they inherit from the /var/www parent directory.
I've done this on FC4 and it's working OK for me.
One other thing that isn't listed on the trac wiki is that httpd is not
allowed to send mail by default (I've just posted about this). I've
since worked out how to fix it:
# To find out what policy is required to allow httpd to connect to
# the smtp port, pipe the error msg from the audit.log into audit2allow
audit2allow -i /var/log/audit/audit.log -l
# This produces the following output:
# allow httpd_t smtp_port_t:tcp_socket name_connect;
# Add this new policy rule as a local policy:
vi /etc/selinux/targeted/src/policy/domains/misc/local.te
# add "allow httpd_t smtp_port_t:tcp_socket name_connect;"
# make and activate the policy
cd /etc/selinux/targeted/src/policy/
make load
Not sure if this should be part of the apache policy - it probably
should be a boolean.
R.
6715
days inactive
6715
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Nicklas Norling -
Robin Bowes -
Stephen Smalley