Bug 288781

Summary: Security Content to be added to Deployment Guide
Product: Red Hat Enterprise Linux 6 Reporter: Michael Hideo <mhideo>
Component: doc-SELinux_User_GuideAssignee: Scott Radvan <sradvan>
Status: CLOSED CANTFIX QA Contact: Joshua Wulf <jwulf>
Severity: low Docs Contact:
Priority: medium    
Version: 6.0CC: ddomingo, lcarlon, rlandman
Target Milestone: rcKeywords: Documentation, FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-16 00:00:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 237606, 547585    

Description Michael Hideo 2007-09-13 05:54:56 UTC 
This should be added to the DG or maybe the Security_Guide.

Cheers, Jeff.

-- 
Jeff Fearn <jfearn>
Software Engineer
Engineering Operations
Red Hat, Inc

Subject: 	FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 11:24:42 -0400
To: 	"tech-list" <tech-list>, os-devel-list
From: 	Daniel J Walsh <dwalsh>
Download (untitled)
text/plain 105b
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

CC: 	os-devel-list
Subject: 	Re: FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 16:45:10 +0100
To: 	tech-list
From: 	"Daniel P. Berrange" <berrange>
Download (untitled)
text/plain 1.3k
On Tue, Aug 21, 2007 at 11:24:42AM -0400, Daniel J Walsh wrote:
>
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Looks great - it'd be useful to have a note on how to distribute policy with
the application's RPMs. Best solution^H^H^H^H^Hhack I've come up with is to
name policy to match RPM name and then to use a couple of scripts:

%post
/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp >/dev/null
fixfiles -R %{name} restore

%postun
if [ $1 -eq 0 ]; then
/usr/sbin/semodule -r %{name} >/dev/null
fi


The fixfiles stuff being there to relabel the installed files - RPM itself
won't get labelling correct since the policy isn't loaded into kenrel until
the files have already been laid down on disk. I guess ideally RPM would
learn a little bit about the file types in a package and install the policy
first & load it before installing the rest of the files, but obviously need
a solution that works with currently release distros.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Subject: 	Re: FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 11:21:31 -0500
To: 	tech-list
From: 	Ian Pilcher <ipilcher>
Download (untitled)
text/plain 798b
Daniel P. Berrange wrote:
> The fixfiles stuff being there to relabel the installed files - RPM itself
> won't get labelling correct since the policy isn't loaded into kenrel until
> the files have already been laid down on disk. I guess ideally RPM would
> learn a little bit about the file types in a package and install the policy
> first & load it before installing the rest of the files, but obviously need
> a solution that works with currently release distros.

How about putting the policy in a separate RPM and using Requires(pre)?
(Or does that feature of RPM not work? I can never remember.)

-- 
Ian Pilcher, RHCE 1501 L.B.J. Freeway, Suite 200
Solution Architect, Enterprise Sales Dallas, TX 75234
Red Hat, Inc. 972-672-8533
Comment 1 Michael Hideo 2007-11-05 23:50:20 UTC 
Moving Status to 'Assigned'
Comment 2 Don Domingo 2008-02-01 00:56:18 UTC 
queueing as a major RHEL5 task.
Comment 4 Scott Radvan 2010-04-16 00:00:04 UTC 
linked content is out-of-date, policy module building is covered via a different technique