On 06/16/2014 02:15 PM, Richard Shaw wrote:
> On Mon, Jun 16, 2014 at 1:08 PM, Daniel J Walsh <dwa...@redhat.com
> <mailto:dwa...@redhat.com>> wrote:
>
>
> On 06/16/2014 01:35 PM, Richard Shaw wrote:
>> On Mon, Jun 16, 2014 at 12:19 PM, Daniel J Walsh
>> <dwa...@redhat.com <mailto:dwa...@redhat.com>> wrote:
>>
>>
>> On 06/12/2014 10:14 AM, Richard Shaw wrote:
>>> On Thu, Jun 12, 2014 at 6:56 AM, Daniel J Walsh
>>> <dwa...@redhat.com <mailto:dwa...@redhat.com>> wrote:
>>>
>>>> The full unifi software is java with a mongodb database
>>>> backend and works fine. I have a RPM I created, the
>>>> only problem I haven't been able to fix is the selinux
>>>> issues, one for the private mongodb instance, and then
>>>> the ports it binds to.
>>> Please open a bugzilla for the SELinux issues.
>>>
>>>
>>> Before I open a BZ, here's what I have in my spec file which
>>> from what I understand should be persistent...
>>>
>>> %posttrans
>>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>>> "/var/lib/unifi/logs(/.*)?"
>>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>>> "/var/lib/unifi/data(/.*)?"
>>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>>
>>> Or should this be handled in a policy?
>>>
>>> Thanks,
>>> Richard
>>>
>>>
>> I think your post install should look like.
>>
>> /usr/sbin/semanage fcontext -e /var/log/mongod
>> "/var/lib/unifi/logs"
>> /usr/sbin/semanage fcontext -e /var/lib/mongod
>> "/var/lib/unifi/data"
>> /usr/sbin/semanage port -m -t mongod_port_t 27117
>>
>> Don't use the regex. Also I would figure the logs should be
>> labeled mongod_log_t rather then mongod_lib_t.
>>
>>
>> What is the concern with regex?
>
>> It is specific to packaging? Most of the examples I found online
>> used that method... As far as the label, since everything is
>> getting dumped in /var/lib I figured that would be OK.
>>
>
> Not a concern with regex. it just will not work. The examples you
> have seen on line, were not using equivalence. They were using
> generic labelling.
>
> Equivalence tells SELinux to swap the second part of the path with
> the first. You code would only match file paths that began with
> /var/lib/unifi/logs(/.*?) Not /var/lib/unifi/logs/foobar.log
>>
>> If this is a standard location for this code, we should put
>> it into the base package.
>>
>>
>> There is not a standard install location, the install will "work"
>> as long as everything stays in the same relative location (the
>> unifi directory). Since it writes a lot of stuff I figured /var
>> was the best (only?) real option.
>>
> Yes
>
>> Following the example of a draft wiki I can't find anymore I had
>> modified the scripts to this instead of using %posttrans:
>> %post
>> semanage fcontext -a -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>> semanage fcontext -a -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>> restorecon -R %{_sharedstatedir}/unifi/logs || :
>> restorecon -R %{_sharedstatedir}/unifi/data || :
>> semanage port -m -t mongod_port_t 27117 || :
>>
>> %postun
>> if [ $1 -eq 0 ] ; then # final removal
>> semanage fcontext -d -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
>> semanage fcontext -d -t mongod_var_lib_t \
>> "%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
>> fi
>>
>>
> That should work. You could speed it up by combining both semange
> fcontext lines into a single transaction. Something like.
>
> semanage -S targeted -i - << _EOF
>
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/logs(/.*)?"
> fcontext -a -t mongod_var_lib_t "%{_sharedstatedir}/unifi/data(/.*)?"
> _EOF 2>/dev/null || :
>
>
> Ok, just to be clear, I still need to remove the (/.*)? parts? I found
> the packaging draft I referred to:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux
>
> Which shows including it.
>
> Thanks,
> Richard
>
>
If you use "-e" option, you do not use them, if you are using "-a"
option you do.
Your first message said you used
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/logs(/.*)?"
/usr/sbin/semanage fcontext -e /var/lib/mongod "/var/lib/unifi/data(/.*)?"
Which is wrong because you used the "-e"
Your second email said you were doing.
semanage fcontext -d -t mongod_var_lib_t \
"%{_sharedstatedir}/unifi/logs(/.*)?" 2>/dev/null || :
semanage fcontext -d -t mongod_var_lib_t \
"%{_sharedstatedir}/unifi/data(/.*)?" 2>/dev/null || :
Which used the "-a" which was correct, it needs the regex.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
