Michael DeHaan wrote: > Michael DeHaan wrote: > >> Cobbler's final selinux strategy is thus: >> >> -- do restorecon after copies if SELinux is enabled >> >> Install a few rules in RPM %post and remove them in %postuninstall >> >> # add selinux rules >> if [ -x /usr/sbin/semanage ]; then >> /usr/sbin/selinuxenabled >> if [ "$?" -eq "0" ]; then >> echo "selinux is enabled" >> /usr/sbin/semanage fcontext -a -t public_content_t >> "/var/www/cobbler/images/.*" >/dev/null &2>1 || /bin/true >> /usr/sbin/semanage fcontext -a -t public_content_t >> "/var/lib/tftpboot/images/.*" >/dev/null &2>1 || /bin/true >> /usr/sbin/semanage fcontext -a -t public_content_t >> "/tftpboot/images/.*" >/dev/null &2>1 || /bin/true >> fi >> fi >> >> >> >> # remove selinux rules >> if [ -x /usr/sbin/semanage ]; then >> /usr/sbin/selinuxenabled >> if [ "$?" -eq "0" ]; then >> /usr/sbin/semanage fcontext -d "/var/www/cobbler/images/.*" >> 1>/dev/null 2>&1 || /bin/true >> /usr/sbin/semanage fcontext -d "/var/lib/tftpboot/images/.*" >> 1>/dev/null 2>&1 || /bin/true >> /usr/sbin/semanage fcontext -d "/tftpboot/images/.*" 1>/dev/null >> 2>&1 || /bin/true >> fi >> fi >> >> >> Comments welcome -- this seems to work for me. I sometimes se semanage >> transaction locks on the removal parts but the RPM is coded to install >> fine regardless, so it seems ok. This locking may only happen on my >> machine. >> >> If selinux is off in your case it will skip these parts altogether. >> >> --Michael >> >> >> _______________________________________________ >> cobbler mailing list >> [email protected] >> https://fedorahosted.org/mailman/listinfo/cobbler >> >> > > It seems that calling these in RPM might not be a good idea, so for now, > we've documented them instead. > > This is covered in: https://fedorahosted.org/cobbler/wiki/LockDown > > --Michael > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
For the 1.4.1 release, when it occurs, we'll have cobbler check look for these rules if they don't exist. This won't make 1.4.0 but we have a ticket open for it. So, until then, see the above Wiki page... --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
