New packages and custom Selinux policies

Paul Howarth paul at city-fan.org
Thu May 10 08:55:12 UTC 2007


Peter Smith wrote:
> I wrote an in-house RPM that is getting installed without error.  
> However, on SELinux Enforcing machines using the targeted policy, it 
> doesn't allow executing my app.  I have the following questions about this.
> 
> *)  What's the recommended method for supporting non-core apps to be 
> installed *and* be supported under SELinux policies?  I figured I'd 
> create a 2nd RPM that provides a compiled SELinux policy to be added at 
> runtime to the system policy.
> a)  If it is recommended to make 2 seperate RPMs for an application--one 
> for the app and one for the policy--how do you ensure the policy is 
> always loaded with the system?  I've opted to create an init script to 
> handle this.
> b)  Should the policy get compiled during the SRPM-RPM build process or 
> should it be compiled out-of-band and then just packaged into the RPM.  
> In other words, with custom policies, is the expectation that you'd need 
> to rebuild them whenever updating SELinux in any way?

Start here:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

> It appears that there's no provision to support 3rd-party non-core 
> applications as far as SELinux policies are concerned.

Not so. The standard Fedora policy contains contexts for binary nvidia 
driver modules and Adobe Reader for instance, which certainly aren't core.

Paul.




More information about the fedora-selinux-list mailing list