change Selinux context in %post?

Richard Shaw hobbes1069 at gmail.com
Thu Feb 6 03:16:19 UTC 2014 

On Wed, Feb 5, 2014 at 9:05 PM, Adam Williamson <awilliam at redhat.com> wrote:

> On Wed, 2014-02-05 at 13:24 -0600, Richard Shaw wrote:
> > Are there official guidelines on how to handle selinux contexts in
> > packaging? I can still only find the draft which seems way more
> > complicated than necessary for my needs.
> >
> >
> > I'm working on a package that uses mongodb internally (runs it's own
> > instance).
>
> Does it *contain* its own copy of mongodb or just *run the system copy*
> in a special way?


It runs an instance of the system mongodb via a symbolic link within it's
own bin folder (the symbolic link being the only thing in the bin folder).

I guess I was intentionally not saying what software I was packaging
because it's not FOSS... It's the controller for Ubiquity and it's java
based. It will have to go into RPM Fusion non-free but if you have one of
their access points I haven't found any other way to configure them. I
think it's preferable to have the controller on your own Fedora/RHEL server
than be forced to run it in a windows VM.

It runs "self-contained" except for the symbolic link to the mongod
executable.

I tried splitting it up between /usr/shared/unifi for the static bits and
symlink over to /var/lib/unifi for the writable bits but it was getting way
too complicated for me, so for now I have everything going into
/var/lib/unifi. I adopted and modified a systemd service file and have it
working well with selinux in permissive mode running as its own user
(unifi).

I just really don't know enough about selinux to put together a policy for
it, though I've been doing some reading today along those lines.

One interesting part is it uses port 8080 which it redirects to 8443 for a
secure connection, which seems to work ok, but the default db port is 27117
which is in unreserverd_port_t... I assume I need to grab that for mongod?

Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140205/d33ef2c7/attachment.html>

More information about the devel mailing list