package review?

[Michael Thomas]

Paul Howarth wrote:
> Michael Thomas wrote:
> 
>> A few packages (game server daemons) that I maintain in Fedora Extras
>> would benefit from having a selinux security policy available.  But
>> since I'm new to writing selinux policies, I was hoping that someone
>> from f-s-l could take a peek at what I did and let me know if I've done
>> things correctly and in the 'recommended' way.
>>
>> I've already tested the policy on FC5 to make sure that it works and
>> produces no 'avc denied' messages:
>>
>> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
>>
>> I wasn't sure exactly which networking rules I would need.  Most of the
>> ones there were generated by policygentool.  I also couldn't figure out
>> why some of the rules at the end of crossfire.te were necessary.
> 
> 
> I don't see any domain transition to crossfire_t in your policy; how
> does it get into that domain?

It should be there in crossfire.if, no?

> Your policy file includes a comment about wanting to patch out use of
> temp files; another option would be to use your own domain for temp
> files, as you've done for the log files.

Good point.  But it looks like changing to not use /tmp will be fairly
straightforward.

> Did you follow the guide on Packaging/SELinux on the wiki for actually
> building the module in your package? I've changed what I do for package
> building since I last updated that page (and I can't update it any more)
> and you'll find it won't build on rawhide as there is an
> selinux-policy-devel package you need as a buildreq there.

Yes, I used policygentool to generate the policy files, then your
SELinux page to put it in the package.  I'd like to see an official
packaging policy for selinux modules for Fedora Extras, but I'm not sure
that there are many FE contributors looking at selinux yet.  It looks
like the page has also been copied to PackagingDrafts/SELinux, where you
should be able to modify it.

Some things that would be nice to clarify:

Should selinux be added as a subpackage or automatically included in the
base package?

If selinux is added as a subpackage, what should its Requires: look like
(or should there even be any?)

Is a single targetted policy enough, or is it necessary to build for all
selinux variants (mls, strict, targeted)?

> An example of the way I'm currently doing SELinux module packaging can
> be found here:
> 
> http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec

/me runs screaming from the %defines :)

--Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060721/4c4b2268/attachment.bin>