Red Hat Bugzilla – Bug 185434
RFE: SELinux policy module support in RPM
Last modified: 2015-06-12 07:56:29 EDT
Description of problem:
We need support for rpm to install the policy module and updating the kernel
before placing files down on the system. It then needs to trigger an update of
file context when complete.
Could you give more details of your requirements and expectations.
Yes I was just putting this as a place holder since I think we need to discuss
this in a meeting. What I am envisioning right now, is something where the
specfile would indicate the policy files
And this file could be placed in some temporary location on the system and a
semodule -i /TMPLOCATION/myapp.pp
would happen. This would cause the policy to be rebuilt and reload and the
file_context file to be updated. At this point the rpm would proceed to place
files on disk.
Two problems with this is that if several packages were providing policy, each
one would need to do the semodule thing and this would take a very long time.
So it would be better if we could put them into some kind of transaction. So
all policy files get updated first. Then the RPMs get installed.
Finally as a post install step the file context difference program would be run
to fix any file contexts that had been altered.
Extracting myapp.pp from payload in order to do %pretrans is the fundamental design problem.
Adding myapp.pp to metadata bloatery, either through additional tag, or by inlining in %pretrans,
is the dirty and expedient hack. Anything else will require extensive changes, like splitting
into subtransactions, or reading the payload multiple times.
User email@example.com's account has been closed
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Adding FutureFeature keyword to RFE's.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Hmm, no news for 9 years...
There is a selinux plugin nowadays. I just assume that it does what is needed. Closing.