Selinux Packaging [WAS: Wifi connection issues with Intel?]
Richard Shaw
hobbes1069 at gmail.com
Mon Jun 16 18:15:25 UTC 2014
On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 06/16/2014 01:35 PM, Richard Shaw wrote:
>
> On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
>
>>
>> On 06/12/2014 10:14 AM, Richard Shaw wrote:
>>
>> On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh <dwalsh at redhat.com>
>> wrote:
>>
>>> The full unifi software is java with a mongodb database backend and
>>> works fine. I have a RPM I created, the only problem I haven't been able to
>>> fix is the selinux issues, one for the private mongodb instance, and then
>>> the ports it binds to.
>>>
>>> Please open a bugzilla for the SELinux issues.
>>>
>>
>> Before I open a BZ, here's what I have in my spec file which from what
>> I understand should be persistent...
>>
>> %posttrans
>> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
>> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"
>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>> Or should this be handled in a policy?
>>
>> Thanks,
>> Richard
>>
>>
>> I think your post install should look like.
>>
>> /usr/sbin/semanage fcontext -e /var/log/mongod "/var/lib/unifi/logs"
>> /usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data"
>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>> Don't use the regex. Also I would figure the logs should be labeled
>> mongod_log_t rather then mongod_lib_t.
>>
>
> What is the concern with regex?
>
>
> It is specific to packaging? Most of the examples I found online used
> that method... As far as the label, since everything is getting dumped in
> /var/lib I figured that would be OK.
>
>
> Not a concern with regex. it just will not work. The examples you have
> seen on line, were not using equivalence. They were using generic
> labelling.
>
> Equivalence tells SELinux to swap the second part of the path with the
> first. You code would only match file paths that began with
> /var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.log
>
>
> If this is a standard location for this code, we should put it into the
>> base package.
>>
>
> There is not a standard install location, the install will "work" as
> long as everything stays in the same relative location (the unifi
> directory). Since it writes a lot of stuff I figured /var was the best
> (only?) real option.
>
> Yes
>
> Following the example of a draft wiki I can't find anymore I had
> modified the scripts to this instead of using %posttrans:
> %post
> semanage fcontext -a -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
> semanage fcontext -a -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
> restorecon -R %{_sharedstatedir}/unifi/logs || :
> restorecon -R %{_sharedstatedir}/unifi/data || :
> semanage port -m -t mongod_port_t 27117 || :
>
> %postun
> if [ $1 -eq 0 ] ; then # final removal
> semanage fcontext -d -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
> semanage fcontext -d -t mongod_var_lib_t \
> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
> fi
>
>
> That should work. You could speed it up by combining both semange
> fcontext lines into a single transaction. Something like.
>
> semanage -S targeted -i - << _EOF
>
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
> _EOF 2>/dev/null || :
>
Ok, just to be clear, I still need to remove the (/.*)? parts? I found the
packaging draft I referred to:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
Which shows including it.
Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140616/be6a3741/attachment.html>
More information about the users
mailing list