Compiling RPM – Proper Way to Set SELinux Context in an RPM .spec

compilingrpmselinux

I am trying to build an RPM that targets RHEL4 and 5. Right now I call chcon from %post but multiple Google entries say "that's not how you are supposed to do it" with very limited help on the right way. I've also noticed that fixfiles -R mypackage check says the files are wrong when they are right (as expected; the RPM DB doesn't realize what I want)..

I specifically say RHEL4 because it does not have semanage which seems to be one of the proper ways to do it. (Add a new policy and then run restorecon on your directories in %post.)
- I also don't need my own context, just httpd_cache_t on a non-standard directory.
I have also seen "let cpio take care of it" – but then I have a new problem that a non-root RPM building user cannot run chcon on the build directories. I cheated and had sudo in the spec file but that didn't seem to matter anyway.

Best Answer

The Fedora Packaging Guidelines have a draft document explaining how to handle SELinux in packages, and they use semanage. Without semanage, it looks like supporting RHEL 4 is going to be a hack, and there's no way around that.

According to the rpm 4.9.0 release notes, there has been some support directly in rpm for managing SELinux policies, but it has historically been broken:

Older versions of RPM supported a %policy directive in spec for attaching SELinux policies into the package header, but this was never really usable for anything. Any uses of the %policy directive in specs should be removed as this unused directive prevents building with RPM 4.9.0 and later, while not doing anything for older versions.

Starting with RPM 4.9.0, SELinux policy packaging is supported via new %sepolicy section in the spec. Such packages cannot be built, but are installable on older RPM versions too (but the included policies will not be used in any way).

I see no mention of file contexts there, and I haven't been able to find any mention of direct file context support (like %attr in the %files section). In any case, it looks like RHEL 6 is only on rpm 4.8.0, so (unless I've missed something) the semanage route is as good as we're going to be able to do at least until RHEL 7.

Related Solutions

Linux – the proper way to set SELinux context in an RPM .spec? (RHEL7 in 2018)

SELinux configuration is provided by selinux-policy-targeted package, which contains the default policy configuration for the distribution, including SELinux configuration for tomcat.

I could find two old Fedora packaging drafts describing SELinux configuration in RPM packaging.

PackagingDrafts/SELinux suggests including the file labeling configuration in %post and %postun sections of the spec file by executing semanage fcontext -a and semanage fcontext -d respectively and running restorecon/fixfiles afterwards.

It is useful to note, as pointed out by Graham Legett, that using semanage in %pre or %post sections of spec will add the complete python stack along with policycoreutils-python as install time dependency. Using restorecon will add policycoreutils, which in turn brings in sed, gawk and grep, as install time dependencies.

A better way to provide the required file labeling rules would be by a SELinux policy module. Policy modules provide clearer interface to manage modular policy (labeling rules are not mixed with local modifications done with semanage).

For your policy module with file labeling rules, you need to provide type enforcement file and file context labeling file. Type enforcement file is required even if you do not add any modifications to the policy. An example dummy type enforcement file mymodule.te:

policy_module(mymodule, 1.0)

The file labeling rules are in mymodule.fc and follow same :

/path/to/file   --  gen_context(system_u:object_r:type_t,s0)

With selinux-policy-devel, the module package can be compiled with^{^{[note 1]}}:

make -f /usr/share/selinux/devel/Makefile

Regarding packaging policy modules, SELinux Policy Modules Packaging Draft similarly recommends using the %post and %postun sections of the spec file to install the policy using semodule and restorecon/fixfiles. An example spec file is also provided.

^{^{[note 1]} The example policy module could be generated without selinux-policy-devel by using checkmodule and semodule_package directly. It would require the policy files to be written without macros.}

Best Answer

Related Solutions

Linux – the proper way to set SELinux context in an RPM .spec? (RHEL7 in 2018)

Related Question