Bug 288781 - Security Content to be added to Deployment Guide
Security Content to be added to Deployment Guide
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-SELinux_User_Guide (Show other bugs)
6.0
All Linux
medium Severity low
: rc
: ---
Assigned To: Scott Radvan
Joshua Wulf
: Documentation, FutureFeature
Depends On:
Blocks: 237606 547585
  Show dependency treegraph
 
Reported: 2007-09-13 01:54 EDT by Michael Hideo
Modified: 2016-06-17 17:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-15 20:00:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Hideo 2007-09-13 01:54:56 EDT
This should be added to the DG or maybe the Security_Guide.

Cheers, Jeff.

-- 
Jeff Fearn <jfearn@redhat.com>
Software Engineer
Engineering Operations
Red Hat, Inc

Subject: 	FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 11:24:42 -0400
To: 	"tech-list@redhat.com" <tech-list@redhat.com>, os-devel-list@redhat.com
From: 	Daniel J Walsh <dwalsh@redhat.com>
Download (untitled)
text/plain 105b
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

CC: 	os-devel-list@redhat.com
Subject: 	Re: FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 16:45:10 +0100
To: 	tech-list@redhat.com
From: 	"Daniel P. Berrange" <berrange@redhat.com>
Download (untitled)
text/plain 1.3k
On Tue, Aug 21, 2007 at 11:24:42AM -0400, Daniel J Walsh wrote:
>
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Looks great - it'd be useful to have a note on how to distribute policy with
the application's RPMs. Best solution^H^H^H^H^Hhack I've come up with is to
name policy to match RPM name and then to use a couple of scripts:

%post
/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp >/dev/null
fixfiles -R %{name} restore

%postun
if [ $1 -eq 0 ]; then
/usr/sbin/semodule -r %{name} >/dev/null
fi


The fixfiles stuff being there to relabel the installed files - RPM itself
won't get labelling correct since the policy isn't loaded into kenrel until
the files have already been laid down on disk. I guess ideally RPM would
learn a little bit about the file types in a package and install the policy
first & load it before installing the rest of the files, but obviously need
a solution that works with currently release distros.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Subject: 	Re: FYI Guide to writing selinux policy.
Date: 	Tue, 21 Aug 2007 11:21:31 -0500
To: 	tech-list@redhat.com
From: 	Ian Pilcher <ipilcher@redhat.com>
Download (untitled)
text/plain 798b
Daniel P. Berrange wrote:
> The fixfiles stuff being there to relabel the installed files - RPM itself
> won't get labelling correct since the policy isn't loaded into kenrel until
> the files have already been laid down on disk. I guess ideally RPM would
> learn a little bit about the file types in a package and install the policy
> first & load it before installing the rest of the files, but obviously need
> a solution that works with currently release distros.

How about putting the policy in a separate RPM and using Requires(pre)?
(Or does that feature of RPM not work? I can never remember.)

-- 
Ian Pilcher, RHCE 1501 L.B.J. Freeway, Suite 200
Solution Architect, Enterprise Sales Dallas, TX 75234
Red Hat, Inc. 972-672-8533
Comment 1 Michael Hideo 2007-11-05 18:50:20 EST
Moving Status to 'Assigned'
Comment 2 Don Domingo 2008-01-31 19:56:18 EST
queueing as a major RHEL5 task. 
Comment 4 Scott Radvan 2010-04-15 20:00:04 EDT
linked content is out-of-date, policy module building is covered via a different technique

Note You need to log in before you can comment on or make changes to this bug.