change Selinux context in %post?
Andrew Lutomirski
luto at mit.edu
Wed Feb 5 19:37:12 UTC 2014
On Wed, Feb 5, 2014 at 11:24 AM, Richard Shaw <hobbes1069 at gmail.com> wrote:
> Are there official guidelines on how to handle selinux contexts in
> packaging? I can still only find the draft which seems way more complicated
> than necessary for my needs.
>
> I'm working on a package that uses mongodb internally (runs it's own
> instance). Selinux is complaining because it has mongodb creating the
> database (and logs) outside of the normal locations.
>
> I think I can fix this with a "chcon -t mongod_var_lib_t
> %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t /log/path" or
> something like that.
>
> Is it a good idea to do this in %post?
No. For one thing, the next relabel will blow it away.
That being said, you can sometime "fix"* this kind of issue by using
something like runcon or setpriv --selinux-label to invoke the binary
that selinux otherwise wants to label in an unfortunate way.
* If pressed, I will actually defend this practice. Just because
you're running the mongodb binary does *not* mean that you're running
something that, from a MAC perspective, should be treated as the
system mongodb daemon. I use a similar trick to get private mysql
instances to work right on apparmor systems.
--Andy
More information about the devel
mailing list