Re: Selinux and RPM packaging (trac)

Nicklas Norling said the following on 07/12/2005 15:18:
> Hi,
> 
> Been looking around for quite some time and have found very little about
> how one is
> supposed to create rpm packages with selinux content.
> 
> Specifically I'm trying to create a rpm package of trac
> http://projects.edgewall.com/trac/.
> The Wiki there suggests .fc and .te files for it
> http://projects.edgewall.com/trac/wiki/TracWithSeLinux.
> 
> How would you recommend I go about this project. Does selinux contain a
> system
> for plugging in .te and .fc files so contexts are recognized during the
> package install or
> should I submitt these files for inclusion in the normal policy packages
> and wait for it
> to hit the fans?
> 
> Do anyone have any pointers to best practis in these situations? What
> can the .spec file
> do in order to keep track of selinux permissions etc.

Nicklas,

One suggestion would be to ensure that the trac repositories are in
/var/www/trac/<project> so they inherit from the /var/www parent directory.

I've done this on FC4 and it's working OK for me.

One other thing that isn't listed on the trac wiki is that httpd is not
allowed to send mail by default (I've just posted about this). I've
since worked out how to fix it:

# To find out what policy is required to allow httpd to connect to
# the smtp port, pipe the error msg from the audit.log into audit2allow
audit2allow -i /var/log/audit/audit.log -l
# This produces the following output:
#   allow httpd_t smtp_port_t:tcp_socket name_connect;

# Add this new policy rule as a local policy:
vi /etc/selinux/targeted/src/policy/domains/misc/local.te
# add "allow httpd_t smtp_port_t:tcp_socket name_connect;"

# make and activate the policy
cd /etc/selinux/targeted/src/policy/
make load

Not sure if this should be part of the apache policy - it probably
should be a boolean.

R.