change Selinux context in %post?

Richard Shaw hobbes1069 at gmail.com
Thu Feb 6 13:39:16 UTC 2014 

On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy at redhat.com> wrote:

> On 02/05/2014 08:24 PM, Richard Shaw wrote:
>
>> Are there official guidelines on how to handle selinux contexts in
>> packaging? I can still only find the draft which
>> seems way more complicated than necessary for my needs.
>>
>> I'm working on a package that uses mongodb internally (runs it's own
>> instance). Selinux is complaining because it has
>> mongodb creating the database (and logs) outside of the normal locations.
>>
>> I think I can fix this with a "chcon -t mongod_var_lib_t
>> %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t
>> /log/path" or something like that.
>>
>> Is it a good idea to do this in %post?
>>
>
> I do not think there is general guideline.
>
> As other suggested - it is bad idea to call chcon explicitly. You should
> rather write your own selinux policy (it is not that hard, really) and call
> restorecon or fixfiles.
>

Got it.



> You should not call it in %post because selinux policy can be loaded after
> your %post. The story about this is little bit longer and boring. The
> conclusion is - do that in %posttrans.
>

Ok, good to know.



> You can get some inspiration e.g. in:
> https://git.fedorahosted.org/cgit/copr.git/tree/copr.spec
> https://git.fedorahosted.org/cgit/copr.git/tree/selinux


Thanks!

I've gotten this far on my own. I used semanage and some google-fu to come
up with this that seems to fix the problem. I'm not sure if there's a
better way (i.e. a more "least privilege" route) but I have the following
in file_contexts.local:

/var/lib/unifi/logs(/.*)?    system_u:object_r:mongod_var_lib_t:s0
/var/lib/unifi/data(/.*)?    system_u:object_r:mongod_var_lib_t:s0

And the port problem in ports.local:

portcon tcp 27117 system_u:object_r:mongod_port_t:s0

Now, how to turn that into a policy file...

Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140206/0f5f04e0/attachment.html>

More information about the devel mailing list