change Selinux context in %post?
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 11 21:04:01 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/11/2014 03:23 PM, Richard Shaw wrote:
> On Tue, Feb 11, 2014 at 9:43 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 02/06/2014 12:44 PM, Richard Shaw wrote:
>> On Thu, Feb 6, 2014 at 11:37 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 02/06/2014 02:39 PM, Richard Shaw wrote:
>>> On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msuchy at redhat.com
> <mailto:msuchy at redhat.com>
>> <mailto:msuchy at redhat.com <mailto:msuchy at redhat.com>>> wrote:
>>>
>>>> On 02/05/2014 08:24 PM, Richard Shaw wrote:
>>>>
>>>>> Are there official guidelines on how to handle selinux contexts in
>>>>> packaging? I can still only find the draft which seems way more
>>>>> complicated than necessary for my needs.
>>>>>
>>>>> I'm working on a package that uses mongodb internally (runs it's
>>>>> own instance). Selinux is complaining because it has mongodb
>>>>> creating the database (and logs) outside of the normal locations
>> You need to tell SELinux about the labels.
>>
>> semanage fcontext -e /var/lib/mysql PATHTO/mysql restorecon -R -v
>> PATHTO/mysql
>>
>> Is probably what you want.
>>
>>
>> Ok, I ended up getting to the same place using "-a mongod_var_lib_t"...
>> Now how to turn that into a policy I can package?
>>
>> I ended up with this as the requirements to create a functional package:
>>
>> /var/lib/unifi/logs(/.*)? system_u:object_r:mongod_var_lib_t:s0
>> /var/lib/unifi/data(/.*)? system_u:object_r:mongod_var_lib_t:s0
>> portcon tcp 27117 system_u:object_r:mongod_port_t:s0
>>
>>
> Most likely the better solution would have been
>
> /var/lib/unifi/logs(/.*)? system_u:object_r:mongod_log_t:s0
>
>
> That would probably work, I just used mongod_var_lib_t because it writes
> the logs in /var/lib instead of /var/log. As long as it works I'm not
> terribly picky.
>
>
> SHould these go into Fedora Policy?
>
>
> Well, if this was a package destined for the Fedora repository I would ask,
> what reasons/requirements need to be met to have the policy go into the
> upper level Fedora policy and when should it go directly in the package
> itself?
>
> Since this is not FOSS software (however useful and required to manage the
> devices) it's destined for RPM Fusion non-free so I'm guessing it needs to
> go into the package itself.
>
> Thanks, Richard
>
>
If these paths make sense, we can add the labels to the Fedora Policy. It
does not have to be FOSS Software to be in the policy package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlL6kEEACgkQrlYvE4MpobMEigCePz23veRszwhASjCsdKuSvt3s
5/4An3uQtGuhNsKtnGag0Wov37yENnQx
=E28n
-----END PGP SIGNATURE-----
More information about the devel
mailing list