SELinux configuration is provided by selinux-policy-targeted
package, which contains the default policy configuration for the distribution, including SELinux configuration for tomcat.
I could find two old Fedora packaging drafts describing SELinux configuration in RPM packaging.
PackagingDrafts/SELinux suggests including the file labeling configuration in %post
and %postun
sections of the spec file by executing semanage fcontext -a
and semanage fcontext -d
respectively and running restorecon
/fixfiles
afterwards.
It is useful to note, as pointed out by Graham Legett, that using semanage
in %pre
or %post
sections of spec will add the complete python stack along with policycoreutils-python
as install time dependency. Using restorecon
will add policycoreutils
, which in turn brings in sed
, gawk
and grep
, as install time dependencies.
A better way to provide the required file labeling rules would be by a SELinux policy module. Policy modules provide clearer interface to manage modular policy (labeling rules are not mixed with local modifications done with semanage
).
For your policy module with file labeling rules, you need to provide type enforcement file and file context labeling file. Type enforcement file is required even if you do not add any modifications to the policy. An example dummy type enforcement file mymodule.te
:
policy_module(mymodule, 1.0)
The file labeling rules are in mymodule.fc
and follow same :
/path/to/file -- gen_context(system_u:object_r:type_t,s0)
With selinux-policy-devel
, the module package can be compiled with[note 1]:
make -f /usr/share/selinux/devel/Makefile
Regarding packaging policy modules, SELinux Policy Modules Packaging Draft
similarly recommends using the %post
and %postun
sections of the spec file to install the policy using semodule
and restorecon
/fixfiles
. An example spec file is also provided.
[note 1] The example policy module could be generated without selinux-policy-devel
by using checkmodule
and semodule_package
directly. It would require the policy files to be written without macros.
Best Answer
The Fedora Packaging Guidelines have a draft document explaining how to handle SELinux in packages, and they use
semanage
. Withoutsemanage
, it looks like supporting RHEL 4 is going to be a hack, and there's no way around that.According to the rpm 4.9.0 release notes, there has been some support directly in rpm for managing SELinux policies, but it has historically been broken:
I see no mention of file contexts there, and I haven't been able to find any mention of direct file context support (like
%attr
in the%files
section). In any case, it looks like RHEL 6 is only on rpm 4.8.0, so (unless I've missed something) thesemanage
route is as good as we're going to be able to do at least until RHEL 7.