Cobbler's final selinux strategy is thus:
-- do restorecon after copies if SELinux is enabled
Install a few rules in RPM %post and remove them in %postuninstall
# add selinux rules
if [ -x /usr/sbin/semanage ]; then
/usr/sbin/selinuxenabled
if [ "$?" -eq "0" ]; then
echo "selinux is enabled"
/usr/sbin/semanage fcontext -a -t public_content_t
"/var/www/cobbler/images/.*" >/dev/null &2>1 || /bin/true
/usr/sbin/semanage fcontext -a -t public_content_t
"/var/lib/tftpboot/images/.*" >/dev/null &2>1 || /bin/true
/usr/sbin/semanage fcontext -a -t public_content_t
"/tftpboot/images/.*" >/dev/null &2>1 || /bin/true
fi
fi
# remove selinux rules
if [ -x /usr/sbin/semanage ]; then
/usr/sbin/selinuxenabled
if [ "$?" -eq "0" ]; then
/usr/sbin/semanage fcontext -d "/var/www/cobbler/images/.*"
1>/dev/null 2>&1 || /bin/true
/usr/sbin/semanage fcontext -d "/var/lib/tftpboot/images/.*"
1>/dev/null 2>&1 || /bin/true
/usr/sbin/semanage fcontext -d "/tftpboot/images/.*" 1>/dev/null
2>&1 || /bin/true
fi
fi
Comments welcome -- this seems to work for me. I sometimes se semanage
transaction locks on the removal parts but the RPM is coded to install
fine regardless, so it seems ok. This locking may only happen on my
machine.
If selinux is off in your case it will skip these parts altogether.
--Michael
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
