On Thu, Feb 6, 2014 at 2:49 AM, Miroslav Suchý <msu...@redhat.com> wrote:
> On 02/05/2014 08:24 PM, Richard Shaw wrote:
>
>> Are there official guidelines on how to handle selinux contexts in
>> packaging? I can still only find the draft which
>> seems way more complicated than necessary for my needs.
>>
>> I'm working on a package that uses mongodb internally (runs it's own
>> instance). Selinux is complaining because it has
>> mongodb creating the database (and logs) outside of the normal locations.
>>
>> I think I can fix this with a "chcon -t mongod_var_lib_t
>> %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t
>> /log/path" or something like that.
>>
>> Is it a good idea to do this in %post?
>>
>
> I do not think there is general guideline.
>
> As other suggested - it is bad idea to call chcon explicitly. You should
> rather write your own selinux policy (it is not that hard, really) and call
> restorecon or fixfiles.
>
Got it.
> You should not call it in %post because selinux policy can be loaded after
> your %post. The story about this is little bit longer and boring. The
> conclusion is - do that in %posttrans.
>
Ok, good to know.
> You can get some inspiration e.g. in:
> https://git.fedorahosted.org/cgit/copr.git/tree/copr.spec
> https://git.fedorahosted.org/cgit/copr.git/tree/selinux
Thanks!
I've gotten this far on my own. I used semanage and some google-fu to come
up with this that seems to fix the problem. I'm not sure if there's a
better way (i.e. a more "least privilege" route) but I have the following
in file_contexts.local:
/var/lib/unifi/logs(/.*)? system_u:object_r:mongod_var_lib_t:s0
/var/lib/unifi/data(/.*)? system_u:object_r:mongod_var_lib_t:s0
And the port problem in ports.local:
portcon tcp 27117 system_u:object_r:mongod_port_t:s0
Now, how to turn that into a policy file...
Thanks,
Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
