How to get an SELinux policy change
Daniel J Walsh
dwalsh at redhat.com
Fri Nov 7 15:49:41 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> On Fri, 07 Nov 2008 09:53:18 -0500
> Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jerry James wrote:
>>> 2008/11/7 yersinia <yersinia.spiros at gmail.com>:
>>>> Do look useful this docu ?
>>>>
>>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>>> Thank you. That is a very useful document. However, it does not
>>> appear to answer my question. I need a non-default security context
>>> for binaries that are both built and executed in the %build script,
>>> when the policy module has not yet been installed. It appears to me
>>> that there are only two ways to accomplish this: keep abusing
>>> java_exec_t like I have been, or get a GCL policy incorporated into
>>> selinux-policy* prior to building GCL. Am I wrong? Is there some
>>> other option? Does anyone have any guidance to offer me on which
>>> option to pursue? Thanks,
>> I would go with the chcon solution you have but instead of hard coding
>> the java_exec_t, I would execute
>>
>> You can get the context of the final destination of the file using
>>
>> chcon `matchpathcon -n /usr/bin/gcl` LOCALPATH/gcl
>>
>> Which seems to be a fine way of doing. this.
>
> Indeed, but it needs the context type for /usr/bin/gcl to be set to
> java_exec_t or equivalent in the selinux-policy package before it'll
> work.
>
> Paul.
>
+/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
Will be in selinux-policy-3.5.13-19.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkUY5UACgkQrlYvE4MpobNcZwCffDDyogNaxP/4ozZE0omAJ5N5
pjcAnijuOdoAT67e5eD2RVHiiED6p5Gv
=86wN
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list