Michael DeHaan wrote: > Cobbler's final selinux strategy is thus: > > -- do restorecon after copies if SELinux is enabled > > Install a few rules in RPM %post and remove them in %postuninstall > > # add selinux rules > if [ -x /usr/sbin/semanage ]; then > /usr/sbin/selinuxenabled > if [ "$?" -eq "0" ]; then > echo "selinux is enabled" > /usr/sbin/semanage fcontext -a -t public_content_t > "/var/www/cobbler/images/.*" >/dev/null &2>1 || /bin/true > /usr/sbin/semanage fcontext -a -t public_content_t > "/var/lib/tftpboot/images/.*" >/dev/null &2>1 || /bin/true > /usr/sbin/semanage fcontext -a -t public_content_t > "/tftpboot/images/.*" >/dev/null &2>1 || /bin/true > fi > fi > > > > # remove selinux rules > if [ -x /usr/sbin/semanage ]; then > /usr/sbin/selinuxenabled > if [ "$?" -eq "0" ]; then > /usr/sbin/semanage fcontext -d "/var/www/cobbler/images/.*" > 1>/dev/null 2>&1 || /bin/true > /usr/sbin/semanage fcontext -d "/var/lib/tftpboot/images/.*" > 1>/dev/null 2>&1 || /bin/true > /usr/sbin/semanage fcontext -d "/tftpboot/images/.*" 1>/dev/null > 2>&1 || /bin/true > fi > fi > > > Comments welcome -- this seems to work for me. I sometimes se semanage > transaction locks on the removal parts but the RPM is coded to install > fine regardless, so it seems ok. This locking may only happen on my > machine. > > If selinux is off in your case it will skip these parts altogether. > > --Michael > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler >
It seems that calling these in RPM might not be a good idea, so for now, we've documented them instead. This is covered in: https://fedorahosted.org/cobbler/wiki/LockDown --Michael _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
