package review?
Paul Howarth
paul at city-fan.org
Fri Jul 21 15:46:28 UTC 2006
Michael Thomas wrote:
> A few packages (game server daemons) that I maintain in Fedora Extras
> would benefit from having a selinux security policy available. But
> since I'm new to writing selinux policies, I was hoping that someone
> from f-s-l could take a peek at what I did and let me know if I've done
> things correctly and in the 'recommended' way.
>
> I've already tested the policy on FC5 to make sure that it works and
> produces no 'avc denied' messages:
>
> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
>
> I wasn't sure exactly which networking rules I would need. Most of the
> ones there were generated by policygentool. I also couldn't figure out
> why some of the rules at the end of crossfire.te were necessary.
I don't see any domain transition to crossfire_t in your policy; how
does it get into that domain?
Your policy file includes a comment about wanting to patch out use of
temp files; another option would be to use your own domain for temp
files, as you've done for the log files.
Did you follow the guide on Packaging/SELinux on the wiki for actually
building the module in your package? I've changed what I do for package
building since I last updated that page (and I can't update it any more)
and you'll find it won't build on rawhide as there is an
selinux-policy-devel package you need as a buildreq there.
An example of the way I'm currently doing SELinux module packaging can
be found here:
http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec
Paul.
More information about the selinux
mailing list