RPM

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 15:56, 22 October 2009 (edit)
JoshuaBrindle (Talk | contribs)

← Previous diff
Revision as of 16:56, 22 October 2009 (edit) (undo)
JoshuaBrindle (Talk | contribs)

Next diff →
Line 35: Line 35:
-The name field is required and must match the name declared in the module.+The name field is optional and if omitted will use the basename minus the extension for the name, however it is recommended that you use the name field and it must match the name of the module specified in the policy.
= Installing an RPM with a policy = = Installing an RPM with a policy =
Line 55: Line 55:
%module poltest-policy-%{version}/foo.pp %module poltest-policy-%{version}/foo.pp
Name: foo Name: foo
- Type: mls+ Type: mls targeted
-This will only install the module if the current active policy type is "mls" (you can check by looking at the SELINUXTYPE variable in /etc/selinux/config.+This will only install the module if the current active policy type is "mls" or "targeted" (you can check by looking at the SELINUXTYPE variable in /etc/selinux/config.
If Type is omitted the policy will install on whatever the current policy type is. If Type is omitted the policy will install on whatever the current policy type is.
Line 88: Line 88:
You can specify a dependency that is used only when policy is being installed with %PolicyRequires You can specify a dependency that is used only when policy is being installed with %PolicyRequires
- %PolicyRequires policycoreutils + PolicyRequires: policycoreutils
 + 
 +PolicyRequires is part of the rpm preamble and has the same syntax as the Requires tag.
= nopolicy and root = = nopolicy and root =
If you specify the --nopolicy flag when running RPM the policy will not get installed. Additionally if you are installing RPM's into a chroot with --root the policies will be installed in the chroot but the policy _will not_ be reloaded. If you specify the --nopolicy flag when running RPM the policy will not get installed. Additionally if you are installing RPM's into a chroot with --root the policies will be installed in the chroot but the policy _will not_ be reloaded.

Revision as of 16:56, 22 October 2009

Contents

Introduction

This is the project page for the integration of SELinux policy into RPM 4. Specifically the project is focused on adding infrastructure to RPM to install and manage SELinux policies and reduce the error-prone scriptlets that have been used up to now to install policy from RPM's.

Getting the Code

First clone the upstream RPM git repo. Instructions are available on the RPM get source page.

The current patch set XXX CURRENT PATCH SET LINKS XXX

Apply the patches to the RPM repo.

Building and installing the code

  1. ./autogen.sh --noconfigure
  2. ./configure CPPFLAGS="-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/db4" --with-external-db --prefix=/u sr --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var/lib --with-lua --with-selinux
  3. make
  4. make install

Adding a policy to an RPM

You'll want a source module with the te, if and fc files. You can get one from the Reference Policy or use the one in the repo at rpm/tests/data/SOURCES/poltest-policy-1.0.tar.bz2

Add a Source line to your RPM:

Source1: poltest-policy-%{version}.tar.bz2

Build the policy during %build:

make -f /usr/share/selinux/devel/Makefile -C poltest-policy-%{version}

and specify the policy options using a %policy block:

%policy
%module poltest-policy-%{version}/foo.pp
        Name: foo


The name field is optional and if omitted will use the basename minus the extension for the name, however it is recommended that you use the name field and it must match the name of the module specified in the policy.

Installing an RPM with a policy

Installing an RPM will also install its policy.

# rpm -i <rpm>

Verifying the policy is installed

# semodule -l | grep foo
foo    1.0.0

Specifying policy type

If your policy only works with a specific policy type (eg., targeted, mls, etc) you can specify that with Types:

%policy
%module poltest-policy-%{version}/foo.pp
        Name: foo
        Type: mls targeted

This will only install the module if the current active policy type is "mls" or "targeted" (you can check by looking at the SELINUXTYPE variable in /etc/selinux/config.

If Type is omitted the policy will install on whatever the current policy type is.

Obsoleting a policy module

To obsolete a module you specify which modules are obsoleted with Obsoletes:

%policy
%module poltest-policy-%{version}/foo.pp
        Name: foo
        Obsoletes: baz

This will remove the baz module at the same time as installing the foo module.

Multiple modules

You can specify as many modules as necessary in the %policy block

%policy
%module poltest-policy-%{version}/foo.pp
        Name: foo
        Types: default
%module poltest-policy-%{version}/bar.pp
        Name: bar
        Types: mls targeted

PolicyRequires

You can specify a dependency that is used only when policy is being installed with %PolicyRequires

PolicyRequires: policycoreutils 

PolicyRequires is part of the rpm preamble and has the same syntax as the Requires tag.

nopolicy and root

If you specify the --nopolicy flag when running RPM the policy will not get installed. Additionally if you are installing RPM's into a chroot with --root the policies will be installed in the chroot but the policy _will not_ be reloaded.

Personal tools