Selinux Packaging [WAS: Wifi connection issues with Intel?]

Daniel J Walsh dwalsh at redhat.com
Mon Jun 16 18:34:34 UTC 2014 

On 06/16/2014 02:15 PM, Richard Shaw wrote:
> On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
>
>     On 06/16/2014 01:35 PM, Richard Shaw wrote:
>>     On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh
>>     <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>
>>
>>         On 06/12/2014 10:14 AM, Richard Shaw wrote:
>>>         On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
>>>         <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>>
>>>>             The full unifi software is java with a mongodb database
>>>>             backend and works fine. I have a RPM I created, the
>>>>             only problem I haven't been able to fix is the selinux
>>>>             issues, one for the private mongodb instance, and then
>>>>             the ports it binds to. 
>>>             Please open a bugzilla for the SELinux issues.
>>>
>>>
>>>         Before I open a BZ, here's what I have in my spec file which
>>>         from what I understand should be persistent...
>>>
>>>         %posttrans
>>>         /usr/sbin/semanage fcontext -e /var/lib/mongod
>>>         "/var/lib/unifi/logs(/.*)?"
>>>         /usr/sbin/semanage fcontext -e /var/lib/mongod
>>>         "/var/lib/unifi/data(/.*)?"
>>>         /usr/sbin/semanage port -m -t mongod_port_t 27117
>>>
>>>         Or should this be handled in a policy?
>>>
>>>         Thanks,
>>>         Richard
>>>
>>>
>>         I think your post install should look like.
>>
>>         /usr/sbin/semanage fcontext -e /var/log/mongod
>>         "/var/lib/unifi/logs"
>>         /usr/sbin/semanage fcontext -e /var/lib/mongod
>>         "/var/lib/unifi/data"
>>         /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>>         Don't use the regex. Also I would figure the logs should be
>>         labeled mongod_log_t rather then mongod_lib_t.
>>
>>
>>     What is the concern with regex?
>
>>     It is specific to packaging? Most of the examples I found online
>>     used that method... As far as the label, since everything is
>>     getting dumped in /var/lib I figured that would be OK. 
>>
>
>     Not a concern with regex. it just will not work.  The examples you
>     have seen on line, were not using equivalence.  They were using
>     generic labelling.
>
>     Equivalence tells SELinux to swap the second part of the path with
>     the first.  You code would only match file paths that began with
>     /var/lib/unifi/logs(/.*?)  Not /var/lib/unifi/logs/foobar.log
>>
>>         If this is a standard location for this code, we should put
>>         it into the base package.
>>
>>
>>     There is not a standard install location, the install will "work"
>>     as long as everything stays in the same relative location (the
>>     unifi directory). Since it writes a lot of stuff I figured /var
>>     was the best (only?) real option. 
>>
>     Yes
>
>>     Following the example of a draft wiki I can't find anymore I had
>>     modified the scripts to this instead of using %posttrans:
>>     %post
>>     semanage fcontext -a -t mongod_var_lib_t \
>>         "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>>     semanage fcontext -a -t mongod_var_lib_t \
>>         "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>>     restorecon -R %{_sharedstatedir}/unifi/logs || :
>>     restorecon -R %{_sharedstatedir}/unifi/data || :
>>     semanage port -m -t mongod_port_t 27117 || :
>>
>>     %postun
>>     if [ $1 -eq 0 ] ; then  # final removal
>>     semanage fcontext -d -t mongod_var_lib_t \
>>         "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>>     semanage fcontext -d -t mongod_var_lib_t \
>>         "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>>     fi
>>
>>
>     That should work.  You could speed it up by combining both semange
>     fcontext lines into a single transaction. Something like.
>
>     semanage -S targeted -i - << _EOF
>
>     fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
>     fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
>     _EOF 2>/dev/null || :
>
>
> Ok, just to be clear, I still need to remove the (/.*)? parts? I found
> the packaging draft I referred to:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
>
> Which shows including it.
>
> Thanks,
> Richard
>
>
If you use "-e" option, you do not use them, if you are using "-a"
option you do.

Your first message said you used

/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"

Which is wrong because you used the "-e"

Your second email said you were doing.

semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
semanage fcontext -d -t mongod_var_lib_t \
    "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :

Which used the "-a"  which was correct, it needs the regex.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140616/5b27dbf8/attachment-0001.html>

More information about the users mailing list