RPM with seperate selinux package
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 20 11:08:40 UTC 2007
Jan-Frode Myklebust wrote:
> I've been building syslog-ng RPMs, with the needed selinux module
> as a separate sub-package following the instructions at:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>
> but there's a problem with the logics of having the selinux package
> "Requires: main package", as then the main package will get installed
> and started before there is a working policy installed.
>
> So, is there any way of re-ordering this, without having the main
> package depend on the selinux package? i.e. I want to allow someone
> to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want
> the selinux module, but I want the selinux module to be installed
> first if both are installed in the same operation.
>
> My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm
>
>
>
I think it would be better to just ship the policy pp file in your rpm.
But looking through your policy, most of it is already in the base policy.
allow syslogd_t device_t:sock_file { getattr unlink };
> This looks like a bug, It should not happen
allow syslogd_t rsh_port_t:tcp_socket name_bind;
allow syslogd_t inaddr_any_node_t:tcp_socket node_bind;
allow syslogd_t self:tcp_socket { create listen bind setopt };
> In FC7
allow syslogd_t syslogd_var_lib_t:dir { search write add_name };
allow syslogd_t syslogd_var_lib_t:file { create write getattr read };
> This should be added to FC7
> -jf
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the selinux
mailing list