Hi,
this year we have decided to adopt SELinux as part of our standard platform. However we also build quite a few in-house RPM packages. What we're trying to do now is to marry those two efforts, and make those packages we build provide SELinux policies. Admittably we're using RHEL6 for this purpose. I have already collected some information, and it looks like building SELinux modules and providing them with the package is the way to go.
I have started building module from scratch based on what we had to do manually to get rid of SELinux warnings (running SELinux in permissive mode at the moment):
$ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo* $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $ setsebool -P httpd_can_network_connect_db on
which resulted in policy:
foo.fc:
/usr/libexec/foo(.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/foo gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
with foo.if and foo.te pretty much empty.
What I struggle with are several things:
1. can I set up boolean's value from the policy module?
2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles" after I added policy via:
$ semodule -i foo.pp
Can I create module in a way that upon it's activation it'll relabel all needed pieces? (I played with semodule's "-d" and "-e" with no effect)
3. I have seen several suggestions on how to package and install .pp files with RPM:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs http://selinuxproject.org/page/RPM
latter seems to be more natural at least from logic/syntax perspective. Which one is preferred for RHEL6 (I know it's a fedora list, but I didn't see/find corresponsing RHEL list and sysadmin@ ML is kind of low on traffic and answers :( ).
On November 23, 2011 11:45 , Dmitry Makovey dmitry@athabascau.ca wrote:
- can I set up boolean's value from the policy module?
If your policy module creates a new boolean, yes. But if you are setting a boolean created by another policy module, you should run "setsebool -P" from the %post section of your RPM.
- I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles"
after I added policy via:
$ semodule -i foo.pp
Can I create module in a way that upon it's activation it'll relabel all needed pieces? (I played with semodule's "-d" and "-e" with no effect)
Make sure that your .fc file properly describes all of the file contexts. Then, in the %post section of your RPM, run fixfiles and (if needed) restorecon
/sbin/fixfiles -R myapp restore /sbin/restorecon -R %{_localstatedir}/var/lib/foo
In other words: no, I don't know of any way to label files when the policy is loaded, you will need to install the policy module and then run fixfiles.
- I have seen several suggestions on how to package and install .pp files
with RPM:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs http://selinuxproject.org/page/RPM
This is more complicated, but I recommend
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
-- Mark Montague mark@catseye.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/23/2011 11:45 AM, Dmitry Makovey wrote:
Hi,
this year we have decided to adopt SELinux as part of our standard platform. However we also build quite a few in-house RPM packages. What we're trying to do now is to marry those two efforts, and make those packages we build provide SELinux policies. Admittably we're using RHEL6 for this purpose. I have already collected some information, and it looks like building SELinux modules and providing them with the package is the way to go.
I have started building module from scratch based on what we had to do manually to get rid of SELinux warnings (running SELinux in permissive mode at the moment):
$ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo* $ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo $ setsebool -P httpd_can_network_connect_db on
which resulted in policy:
foo.fc:
/usr/libexec/foo(.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/foo gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
with foo.if and foo.te pretty much empty.
What I struggle with are several things:
can I set up boolean's value from the policy module?
I had to manually relabel /usr/libexec/foo* and /var/lib/foo via
"fixfiles" after I added policy via:
$ semodule -i foo.pp
Can I create module in a way that upon it's activation it'll relabel all needed pieces? (I played with semodule's "-d" and "-e" with no effect)
- I have seen several suggestions on how to package and install
.pp files with RPM:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux vs http://selinuxproject.org/page/RPM
latter seems to be more natural at least from logic/syntax perspective. Which one is preferred for RHEL6 (I know it's a fedora list, but I didn't see/find corresponsing RHEL list and sysadmin@ ML is kind of low on traffic and answers :( ).
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
In stead of adding a local policy module and setting a boolean, I would do this all in one step.
semanage -S targeted -i - << _EOF boolean -m --on httpd_can_network_connect_db fcontext -a -t httpd_sys_content_t '/usr/libexec/foo(.*)?' fcontext -a -t httpd_sys_rw_content_t '/var/lib/foo(/*)?' _EOF restorecon -R -v /usr/libexec/foo /var/lib/foo
selinux@lists.fedoraproject.org