change Selinux context in %post?

Miroslav Suchý msuchy at redhat.com
Thu Feb 6 08:49:30 UTC 2014


On 02/05/2014 08:24 PM, Richard Shaw wrote:
> Are there official guidelines on how to handle selinux contexts in packaging? I can still only find the draft which
> seems way more complicated than necessary for my needs.
>
> I'm working on a package that uses mongodb internally (runs it's own instance). Selinux is complaining because it has
> mongodb creating the database (and logs) outside of the normal locations.
>
> I think I can fix this with a "chcon -t mongod_var_lib_t %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t
> /log/path" or something like that.
>
> Is it a good idea to do this in %post?

I do not think there is general guideline.

As other suggested - it is bad idea to call chcon explicitly. You should rather write your own selinux policy (it is not 
that hard, really) and call restorecon or fixfiles.

You should not call it in %post because selinux policy can be loaded after your %post. The story about this is little 
bit longer and boring. The conclusion is - do that in %posttrans.

You can get some inspiration e.g. in:
https://git.fedorahosted.org/cgit/copr.git/tree/copr.spec
https://git.fedorahosted.org/cgit/copr.git/tree/selinux


-- 
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys


More information about the devel mailing list