From: devel-boun...@lists.fedoraproject.org
[mailto:devel-boun...@lists.fedoraproject.org] On Behalf Of Daniel J Walsh
Sent: Tuesday, July 22, 2014 14:12
To: Development discussions related to Fedora
Subject: Re: Advice needed for packaging local SELinux policy
On 07/22/2014 01:42 PM, John Florian wrote:
I have a locally maintained package for private use that among other things
constrains proliferation of files in the following directory:
# ls -lZd /var/lib/puppet/reports/
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0
/var/lib/puppet/reports/
My rpm contains a script that uses the tmpwatch tool to do some of the work and
is called by cron and ran as the puppet user. Using the standard
selinux-policy-targeted, I get this AVC (and perhaps others):
type=AVC msg=audit(1405588621.722:37432): avc: denied { read } for pid=15113
comm="tmpwatch" name="puppet" dev="vda3" ino=260273
scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
I could change the job to run as root and am familiar with using audit2allow to
make a local policy exception. However, I’d like to resolve the issue via my
rpm directly. I’ve not been successful in finding any guidelines in how to
best approach that task. Do I package a bit of SEL policy or is there a way to
have my script run with the puppet_var_lib_t context?
--
John Florian
Then you should add a custom policy to allow tmpreaper_t to manage
puppet_var_lib_t.
Okay, that makes sense and is much as I suspected. Can you (or anyone else)
point me to a trivial example spec file that compiles the te to pp, installs
(presumably in %post) and uninstalls (in %preun) so that I might avoid common
pitfalls and leverage any macros or aids to do this easily and correctly? Many
thanks in advance!
--
John Florian
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
