Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SELinux] [packaging] enabling boolean during package installation #42

Closed
mbukatov opened this issue Dec 15, 2016 · 4 comments
Closed

[SELinux] [packaging] enabling boolean during package installation #42

mbukatov opened this issue Dec 15, 2016 · 4 comments
Assignees
@TimothyAsir
Labels
packaging

Comments

@mbukatov
Copy link
Contributor

README file which describes the installation process right now states that during installation particular SELinux boolean needs to be enabled:

# setsebool -P httpd_can_network_connect 1

Since the httpd integration is located in dedicated rpm package:

# rpm -qlp tendrl-api-httpd-0.0.1-1.el7.centos.noarch.rpm
/etc/httpd/conf.d/tendrl.conf

There is a question whether such configuration tweak should be done during installation of the package and what should happen during package removal.

Right now, the package contains the following scriplet:

# rpm -q --scripts -p tendrl-api-httpd-0.0.1-1.el7.centos.noarch.rpm
postinstall scriptlet (using /bin/sh):
setsebool -P httpd_can_network_connect 1

Since I was not able to find quick guidance in Fedora SELinux guide, I created this issue to discuss what is correct behavior in this particular case.
mbukatov added a commit to usmqe/usmqe-setup that referenced this issue Dec 15, 2016
@mbukatov
tendrl-api: enable boolean for source install only
0367ce4 
related to Tendrl/api#42
@mbukatov
Copy link
Contributor Author

I asked SELinux people to provide a guidance here.

@mbukatov mbukatov changed the title [SELinux] enabling boolean during package installation [SELinux] [packaging] enabling boolean during package installation Dec 15, 2016
@wrabcak
Copy link

wrabcak commented Dec 19, 2016

Martin,
This is really good question. As you said, we don't have any guidance yet. There are two ways how to handle it.
First one: If some value of boolean is changed in %post install phase of some package, there should be also change in %postun phase where it will be reverted. But it has one problem, if boolean was turned on before installing package, %postun phase will turn it off, this can cause some troubles and system administrator has to turn it on again.
Second one: Boolean will be set in %post install phase, but there will be no revert in %postun phase. We avoid troubles caused by first solution, but it can decrease system security from SELinux POV.

I agree with first solution due to more secure system, but it should be documented, that some boolean value can be changed after package uninstall.

Thanks,
Lukas.

@mbukatov
Copy link
Contributor Author

@wrabcak We were talking about a new feature proposal to address issue of handling booleans during package removal some time ago, but I can't find the documentation for it now. Could you find me a link to it?

@wrabcak
Copy link

wrabcak commented Jun 21, 2017

@mbukatov
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Setting_Booleans_During_an_Product_Policy_Installation

@r0h4n r0h4n closed this as completed Jul 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TimothyAsir TimothyAsir

Labels
packaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@r0h4n @TimothyAsir @wrabcak @mbukatov @anmolsachan @anivargi