Looking for the right, but easy way to add SELinux setup into my package/RPM

Fulko Hew fulko.hew at gmail.com
Tue Feb 18 13:55:00 UTC 2014 

On Fri, Feb 14, 2014 at 9:43 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> On 02/14/2014 09:17 AM, Fulko Hew wrote:
> > On Fri, Feb 14, 2014 at 8:58 AM, Daniel J Walsh <dwalsh at redhat.com
>  > On 02/14/2014 08:42 AM, Fulko Hew wrote:
> >> I made a package a long time ago, and over the years I've been adding
> >> new features, but the correct? support of SELinux has always eluded me.
> >> Occasionally I encounter problems with new versions of Fedora and RHEL.
> >> Recently I was asked to support the installation of my RPM on RHEL 6
> >> systems, and I find that there are new SELinux feature/requirements.
> >>
> >> Its probably me, but I haven't found any instructions/how-tos that have
> >> really helped (me) in providing the steps for testing and making a
> >> package SELinux compatible.  I have something that works on older
> >> releases, but I've probably done it wrong.
> >>
> >> There's lots of documentation about its concepts, but not anything that
> >> has helped me in porting.
> >>
> >> Scenario:
> >>
> >> Given a working RPM (with SELinux disabled)... what would the process be
> >> (with examples) of turning SELinux on, attempting to install and run the
> >> various applications, viewing security logs, and turning any errors
> >> detected into correct config files/commands that can be included in a
> >> spec-file/package.
> >>
> >> Thanks
> >>
> >> Fulko
>


> > SELinux is a labeling system. You need to make sure any content that you
> > provide to confined services is labeled correctly.  The way you do this
> is
> > by using a command like semanage fcontext ...  in a post install and then
> > using restorecon to fix the labels.
> >
> > SELinux also has the concept of booleans which allow users to modify the
> > policy on the system.  Depending on what you app wants to do you might
> need
> > to modify a boolean.
> >
> > Finally SELinux expects network ports to match some defaults.  If you
> want
> > to change the default Network Port then you have to tell SELinux about
> > this.
> >
> > semanage port ...
> >
> > SELinux error messages are stored in /var/log/audit/audit.log and called
> > avc messages.
> >
> > ausearch -m avc -ts recent
> >
> > Can show you recent avc messages that your system received.
> >
> > For now, my spec file has a bunch of semanage/restorecon command pairs,
> for
> > such things as:
> >
> > semanage fcontext -a -t httpd_sys_script_exec_t   myFile semanage
> fcontext
> > -a -t httpd_sys_rw_content_t    myOtherFile semanage fcontext -a -t
> > httpd_sys_content_t       yetOtherFiles
> >
> > a) Is this the 'right' way to do it?
> >
> Well you can combine these into a single transaction, which would speed it
> up.
>
> semanage -S targeted -i - << _EOF
> boolean -m --on allow_polyinstantiation
> boolean -m --on xguest_connect_network
> boolean -m --on xguest_mount_media
> boolean -m --on xguest_use_bluetooth
> _EOF
>
> This is what the xguest package does.
>

I'm sorry, but I don't understand how to map your example into my
values/example.

I also have a new problem.  I've been testing against F20 Live (KDE) and the
package (policycoreutils-python) that provides semanage isn't installed
so semanage isn't available when my RPM is installed.
What is the recommended approach?

a) should I make my package/.spec 'require' policycoreutils-python?
   (It would seem unusual to place that burden on package maintainers.)
b) Use some other technique to configure/distribute security info.
   (Is this where policy files come into play?)
   1. Where can I find a good example of how to create policy files
      given the contents of a .spec
   2. And, what needs to be added to a .spec so that the 'policy' is
installed?


 > b) an example of the new error/warning is:
> >
> > Feb 13 14:37:58 livecd kernel: type=1400 audit(1392320278.129:151): avc:
> > denied  { name_connect } for  pid=4517 comm="view_status.pl
> > <http://view_status.pl>" dest=27395
> > scontext=unconfined_u:system_r:httpd_sys_script_t:s0
> > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> >
> Well in a perfect world you would write policy for your cgi script. using a
> tool like sepolgen or sepolicy generate, depending on whether you are
> shipping
> in RHEL6 or Fedora.
>
> You could also turn on the httpd_can_network_connect boolean which would
> allow
> apache processes to connect to any ports.
>

I turns out that I did have code in the %post portion of my .spec to set
that boolean, but due to a bug on my part, the boolean wasn't being set
under certain conditions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140218/13e930c9/attachment.html>

More information about the selinux mailing list