On 06/16/2014 01:35 PM, Richard Shaw wrote:

On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:

On 06/12/2014 10:14 AM, Richard Shaw wrote:

On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

The full unifi software is java with a mongodb database backend and works fine. I have a RPM I created, the only problem I haven't been able to fix is the selinux issues, one for the private mongodb instance, and then the ports it binds to. 

Please open a bugzilla for the SELinux issues.

Before I open a BZ, here's what I have in my spec file which from what I understand should be persistent...

%posttrans

/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"

/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"

/usr/sbin/semanage port -m -t mongod_port_t 27117

Or should this be handled in a policy?

Thanks,

Richard

I think your post install should look like.

/usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"

/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"

/usr/sbin/semanage port -m -t mongod_port_t 27117

Don't use the regex. Also I would figure the logs should be labeled mongod_log_t rather then mongod_lib_t.

What is the concern with regex?

It is specific to packaging? Most of the examples I found online used that method... As far as the label, since everything is getting dumped in /var/lib I figured that would be OK. 

Not a concern with regex. it just will not work.  The examples you have seen on line, were not using equivalence.  They were using generic labelling.

Equivalence tells SELinux to swap the second part of the path with the first.  You code would only match file paths that began with /var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log

If this is a standard location for this code, we should put it into the base package.

There is not a standard install location, the install will "work" as long as everything stays in the same relative location (the unifi directory). Since it writes a lot of stuff I figured /var was the best (only?) real option. 

Yes

Following the example of a draft wiki I can't find anymore I had modified the scripts to this instead of using %posttrans:

%post

semanage fcontext -a -t mongod_var_lib_t \

    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :

semanage fcontext -a -t mongod_var_lib_t \

    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :

restorecon -R %{_sharedstatedir}/unifi/logs || :

restorecon -R %{_sharedstatedir}/unifi/data || :

semanage port -m -t mongod_port_t 27117 || :

%postun

if [ $1 -eq 0 ] ; then  # final removal

semanage fcontext -d -t mongod_var_lib_t \

    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :

semanage fcontext -d -t mongod_var_lib_t \

    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :

fi

That should work.  You could speed it up by combining both semange fcontext lines into a single transaction. Something like.

semanage -S targeted -i - << _EOF

fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"

fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"

_EOF 2>/dev/null || :