change Selinux context in %post?

Daniel J Walsh dwalsh at redhat.com
Tue Feb 11 21:04:01 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/11/2014 03:23 PM, Richard Shaw wrote:
> On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh <dwalsh at redhat.com 
> <mailto:dwalsh at redhat.com>> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
> On 02/06/2014 12:44 PM, Richard Shaw wrote:
>> On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 02/06/2014 02:39 PM, Richard Shaw wrote:
>>> On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy at redhat.com
> <mailto:msuchy at redhat.com>
>> <mailto:msuchy at redhat.com <mailto:msuchy at redhat.com>>> wrote:
>>> 
>>>> On 02/05/2014 08:24 PM, Richard Shaw wrote:
>>>> 
>>>>> Are there official guidelines on how to handle selinux contexts in 
>>>>> packaging? I can still only find the draft which seems way more 
>>>>> complicated than necessary for my needs.
>>>>> 
>>>>> I'm working on a package that uses mongodb internally (runs it's
>>>>> own instance). Selinux is complaining because it has mongodb
>>>>> creating the database (and logs) outside of the normal locations
>> You need to tell SELinux about the labels.
>> 
>> semanage fcontext -e /var/lib/mysql PATHTO/mysql restorecon -R -v 
>> PATHTO/mysql
>> 
>> Is probably what you want.
>> 
>> 
>> Ok, I ended up getting to the same place using "-a mongod_var_lib_t"...
>> Now how to turn that into a policy I can package?
>> 
>> I ended up with this as the requirements to create a functional package:
>> 
>> /var/lib/unifi/logs(/.*)?    system_u:object_r:mongod_var_lib_t:s0 
>> /var/lib/unifi/data(/.*)?    system_u:object_r:mongod_var_lib_t:s0
>> portcon tcp 27117 system_u:object_r:mongod_port_t:s0
>> 
>> 
> Most likely the better solution would have been
> 
> /var/lib/unifi/logs(/.*)?    system_u:object_r:mongod_log_t:s0
> 
> 
> That would probably work, I just used mongod_var_lib_t because it writes
> the logs in /var/lib instead of /var/log. As long as it works I'm not
> terribly picky.
> 
> 
> SHould these go into Fedora Policy?
> 
> 
> Well, if this was a package destined for the Fedora repository I would ask,
> what reasons/requirements need to be met to have the policy go into the
> upper level Fedora policy and when should it go directly in the package
> itself?
> 
> Since this is not FOSS software (however useful and required to manage the 
> devices) it's destined for RPM Fusion non-free so I'm guessing it needs to
> go into the package itself.
> 
> Thanks, Richard
> 
> 

If these paths make sense, we can add the labels to the Fedora Policy.  It
does not have to be FOSS Software to be in the policy package.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL6kEEACgkQrlYvE4MpobMEigCePz23veRszwhASjCsdKuSvt3s
5/4An3uQtGuhNsKtnGag0Wov37yENnQx
=E28n
-----END PGP SIGNATURE-----

More information about the devel mailing list