[Fedora-packaging] Packages changing SELinux configurations

[Jose Pedro Oliveira]

Hi,

I would like to ask a couple of questions regarding
SELinux configurations:

  1) is it valid to change SELinux booleans from within a
     specfile (via scripts/triggers) ?

  2) and adding local rules and make selinux reload
     them (also via scripts/triggers)?

In my particular case - the package syslog-ng [1] - needs
to activate the "use_syslogng" SELinux boolean that
exists only after selinux-policy-targeted >= 1.17.30-2.96
(to be correct the boolean exists after release 2.90 but
the rules are more useful/correct after release 2.96 [2]).

I have done the following changes to the base specfile
but I am wondering if they are valid?  I remember
reading something a while back that packages *should not*
change SELinux configurations.

-----------------------------------------------------------
...

# SELinux (Fedora Core 3)
Requires(preun):  libselinux
Requires(post):   libselinux
Requires:         selinux-policy-targeted >= 1.17.30-2.96

...

%post
if [ $1 = 1 ]; then
    setsebool -P use_syslogng 1
    ...
fi

%preun
if [ $1 = 0 ]; then
    ...
    setsebool -P use_syslogng 0
fi

...
-----------------------------------------------------------

Feedback would be appreciated.

Thanks in advance,
jpo

References:
[1] Bug 1332 - syslog-ng is a sysklogd replacement
    https://bugzilla.fedora.us/show_bug.cgi?id=1332
[2] Fedora Core 3, SELinux, and syslog-ng
    See comment #33 of the above ticket
-- 
José Pedro Oliveira
* mailto: jpo at di.uminho.pt * http://gsd.di.uminho.pt/~jpo *
* gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *