Hello,
I have a SELinux module that I've packaged following the SELinux Policy Modules Packaging Draft[1] on the Fedora wiki. This module is fairly simple and just adjusts the contexts of some files. The package works well, and automatically activates the module and fixes file labels when it is installed on the running machine using Yum. Unfortunately, it does not work as smoothly if it is installed during initial setup by Anaconda. In this case, the module is available but not activated automatically; I have to manually run `semodule -i …` and `restorecon` on the first boot.
Is there a recommended way to automatically activate a module that was installed from an additional package by Anaconda?
Any ideas or pointers would be greatly appreciated.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Regards,
Where are you running semodule -i in your spec file? On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:
Hello,
I have a SELinux module that I've packaged following the SELinux Policy Modules Packaging Draft[1] on the Fedora wiki. This module is fairly simple and just adjusts the contexts of some files. The package works well, and automatically activates the module and fixes file labels when it is installed on the running machine using Yum. Unfortunately, it does not work as smoothly if it is installed during initial setup by Anaconda. In this case, the module is available but not activated automatically; I have to manually run `semodule -i …` and `restorecon` on the first boot.
Is there a recommended way to automatically activate a module that was installed from an additional package by Anaconda?
Any ideas or pointers would be greatly appreciated.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Regards,
On 09/02/2014 03:08 PM, Daniel J Walsh wrote:
On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:
Hello,
I have a SELinux module that I've packaged following the SELinux Policy Modules Packaging Draft[1] on the Fedora wiki. This module is fairly simple and just adjusts the contexts of some files. The package works well, and automatically activates the module and fixes file labels when it is installed on the running machine using Yum. Unfortunately, it does not work as smoothly if it is installed during initial setup by Anaconda. In this case, the module is available but not activated automatically; I have to manually run `semodule -i …` and `restorecon` on the first boot.
Is there a recommended way to automatically activate a module that was installed from an additional package by Anaconda?
Any ideas or pointers would be greatly appreciated.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Where are you running semodule -i in your spec file?
In the %post scriptlet[1]:
%post for v in %{selinux_variants}; do /usr/sbin/semodule -s $v \ -i %{_datadir}/selinux/$v/%{semodule_name}.pp >&- 2>&- || : done /sbin/restorecon -R %{basedir} || :
I changed the output redirection to send to a log, and I see this error message:
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Scriptl...
On 09/05/2014 12:06 AM, Dustin C. Hatch wrote:
On 09/02/2014 03:08 PM, Daniel J Walsh wrote:
On 08/27/2014 04:10 PM, Dustin C. Hatch wrote:
Hello,
I have a SELinux module that I've packaged following the SELinux Policy Modules Packaging Draft[1] on the Fedora wiki. This module is fairly simple and just adjusts the contexts of some files. The package works well, and automatically activates the module and fixes file labels when it is installed on the running machine using Yum. Unfortunately, it does not work as smoothly if it is installed during initial setup by Anaconda. In this case, the module is available but not activated automatically; I have to manually run `semodule -i …` and `restorecon` on the first boot.
Is there a recommended way to automatically activate a module that was installed from an additional package by Anaconda?
Any ideas or pointers would be greatly appreciated.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
Where are you running semodule -i in your spec file?
In the %post scriptlet[1]:
%post for v in %{selinux_variants}; do /usr/sbin/semodule -s $v \ -i %{_datadir}/selinux/$v/%{semodule_name}.pp >&- 2>&- || : done /sbin/restorecon -R %{basedir} || :
I changed the output redirection to send to a log, and I see this error message:
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
[1] http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft#Scriptl...
I would go with
%define selinuxtype targeted
.. ..
%post
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp
if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files fi
On 09/05/2014 08:36 AM, Miroslav Grepl wrote:
I would go with
%define selinuxtype targeted
.. ..
%post
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp
if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files fi
Thanks, unfortunately, this has the same overall effect; the module gets loaded automatically when installed by Yum, but not when installed by Anaconda, and the same error message is given in the latter case.
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
On 09/05/2014 11:29 AM, Dustin C. Hatch wrote:
On 09/05/2014 08:36 AM, Miroslav Grepl wrote:
I would go with
%define selinuxtype targeted
.. ..
%post
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{modulename}.pp
if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy %relabel_files fi
Thanks, unfortunately, this has the same overall effect; the module gets loaded automatically when installed by Yum, but not when installed by Anaconda, and the same error message is given in the latter case.
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
I tested the openscap-selinux package and while it uses this same technique, it does not suffer from the same issue. I noticed that Anaconda installs it after selinux-policy-targeted, but it installs my packages before. Comparing that spec to mine, I noticed that it specifies selinux-policy-base in Requires(post), but I did not. Adding that changed the installation order, and now my policy is correctly loaded at install time. Would it be possible to update SELinux Policy Modules Packaging Draft wiki page to include this? Presently, the only dependencies it recommends adding are selinux-policy and policycoreutils.
Thanks for your help!
On 09/05/2014 07:55 PM, Dustin C. Hatch wrote:
it does not suffer from the same issue. I noticed that Anaconda installs it after selinux-policy-targeted, but it installs my packages before. Comparing that spec to mine, I noticed that it specifies selinux-policy-base in Requires(post), but I did not. Adding that changed the installation order, and now my policy is correctly loaded at install time. Would it be possible to update SELinux Policy Modules Packaging Draft wiki page to include this?
Nice catch. You are right, this is a problem with installing in the same transaction.
selinux@lists.fedoraproject.org