Fedora Linux Support Community & Resources Center
  #1  
Old 17th June 2017, 02:59 PM
dcrdev Offline
Registered User
 
Join Date: Oct 2015
Location: Sheffield UK
Posts: 69
linuxchrome
Forcing an SELinux domain

I'm in the process of packaging a gui for the snapper btrfs utility https://github.com/ricardomv/snapper-gui . I have largely managed to package it (https://github.com/DCRDevRepo/rpm-snapper-gui) but am running into a rather annoying problem with selinux. All snapshots created via snapper have the context snapperd_data_t , which only processes running under the snapperd_t domain can have fopen privileges on.

So in order to get this running I need the application to run under the snapperd_t domain, according to https://www.systutorials.com/docs/li...pperd_selinux/ I can set the context of a file to snapperd_exec_t as an entrypoint into that domain.

Trouble is it's not working:
Code:
[dominic@hell01-ws01 bin]$ ls -Z | grep snapper-gui
            system_u:object_r:snapperd_exec_t:s0 snapper-gui

[dominic@hell01-ws01 bin]$ ps -eZ | grep snapper-gui
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2572 ? 00:00:00 snapper-gui
Could someone advise?
Reply With Quote
  #2  
Old 17th June 2017, 04:23 PM
donatom Online
Registered User
 
Join Date: Jan 2013
Location: Ventura, CA
Posts: 69
linuxchrome
Re: Forcing an SELinux domain

You can disable selinux after installing firewalld or setting up iptables (which probably do a better job of securing your system anyway):
https://wiki.archlinux.org/index.php/iptables
or
https://wiki.archlinux.org/index.php...teful_firewall
or
Code:
  # dnf install firewalld
To disable selinux, open /etc/seliniux/config with vim or similar. Replace "SELINUX=enforcing" with "SELINUX=disabled"
Reply With Quote
  #3  
Old 17th June 2017, 04:38 PM
dcrdev Offline
Registered User
 
Join Date: Oct 2015
Location: Sheffield UK
Posts: 69
linuxfedorachrome
Re: Forcing an SELinux domain

Quote:
Originally Posted by donatom View Post
You can disable selinux after installing firewalld or setting up iptables (which probably do a better job of securing your system anyway):
https://wiki.archlinux.org/index.php/iptables
or
https://wiki.archlinux.org/index.php...teful_firewall
or
Code:
  # dnf install firewalld
To disable selinux, open /etc/seliniux/config with vim or similar. Replace "SELINUX=enforcing" with "SELINUX=disabled"
  1. Not at all what I asked - I'm fully aware how to disable selinux
  2. I'm building an rpm package and therefore am not going to advise people to disable selinux
  3. Firewalld is in no shape or form a replacement for selinux - it's a software firewall not an access control system.
Reply With Quote
  #4  
Old 17th June 2017, 05:33 PM
dcrdev Offline
Registered User
 
Join Date: Oct 2015
Location: Sheffield UK
Posts: 69
linuxfedorachrome
Re: Forcing an SELinux domain

So transpires that snapperd_t only runs within a defined type and role, I did manage to get the application to run under that domain eventually. Unfortunately it transpires that privileges in that domain are too restrictive for the application to run properly.

So I'm in a bit of a chicken/egg scenario - I could write a new policy module but that would undo some of the work done by the core policy configuration; which in terms of packaging is not something that I should be doing. I'd be interested to know how this sort of thing is usually handled in Fedora packaging; I've never really run into selinux problems when packaging before.

I think for now I'll include a disclaimer in the rpm description, stating that you need to run the snapperd_t domain in permissive mode via "semanage permissive -a snapperd_t" ; but to do so at your own risk.
Reply With Quote
  #5  
Old 17th June 2017, 08:35 PM
srakitnican Offline
Registered User
 
Join Date: Oct 2011
Posts: 1,438
linuxchrome
Re: Forcing an SELinux domain

It is handled in a way that tells its users to disable selinux

But this is not acceptable if working towards including it into main Fedora repositories. I think selinux module is the way to go that is upstreamed into snapper-gui and then built as a separate package. See how is pipelight packaged for example.

Also, I skimmed over your spec file. You don't need echo in %build macro, simply remove %build altogether and rpmbuild will not complain about empty macro. Erasing %{buildroot} is not done nowadays, no longer necessary.
Reply With Quote
Reply

Tags
domain, forcing, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Update network from Windows domain to a FreeIPA domain dpatrick Servers & Networking 0 12th March 2014 08:39 PM
DNS pointing to a virtual domain rather than main server domain name? bluesky48 Servers & Networking 1 22nd November 2011 11:19 PM
Forcing a yum update warp_kez Using Fedora 3 6th September 2006 10:08 AM


Current GMT-time: 03:07 (Friday, 18-08-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat