On Wed, Feb 5, 2014 at 11:24 AM, Richard Shaw <hobbes1...@gmail.com> wrote:
> Are there official guidelines on how to handle selinux contexts in
> packaging? I can still only find the draft which seems way more complicated
> than necessary for my needs.
>
> I'm working on a package that uses mongodb internally (runs it's own
> instance). Selinux is complaining because it has mongodb creating the
> database (and logs) outside of the normal locations.
>
> I think I can fix this with a "chcon -t mongod_var_lib_t
> %{_sharedstatedir}/db/location" and "chcon -t mongod_log_t /log/path" or
> something like that.
>
> Is it a good idea to do this in %post?No. For one thing, the next relabel will blow it away. That being said, you can sometime "fix"* this kind of issue by using something like runcon or setpriv --selinux-label to invoke the binary that selinux otherwise wants to label in an unfortunate way. * If pressed, I will actually defend this practice. Just because you're running the mongodb binary does *not* mean that you're running something that, from a MAC perspective, should be treated as the system mongodb daemon. I use a similar trick to get private mysql instances to work right on apparmor systems. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
