The existing logic used by the postinstall.sh scripts in the stable, dev packages is based on explicitly setting a very specific set of SELinux details. Those details were gathered by observation on a few test systems and may not apply to all systems where the RPM packages are installed. Currently those details are set explicitly using the chcon utility.
Instead, we should probably allow the SELinux values to be inherited from the parent directory where the plugins are installed by using the restorecon utility.
TODO
The changes I'm looking to make across projects currently generating packages:
Intended changes
```diff
diff --git a/packages/dev/scripts/rpm/postinstall.sh b/packages/dev/scripts/rpm/postinstall.sh
index 7d9a69e..3a87f53 100644
--- a/packages/dev/scripts/rpm/postinstall.sh
+++ b/packages/dev/scripts/rpm/postinstall.sh
@@ -32,12 +32,7 @@ if [ -f "${plugin_path}/${plugin_name}" ]; then
else
# SELinux is enabled. Set context.
echo -e "\nApplying SELinux contexts on ${plugin_path}/${plugin_name} ..."
- chcon \
- --verbose \
- -t nagios_unconfined_plugin_exec_t \
- -u system_u \
- -r object_r \
- ${plugin_path}/${plugin_name}
+ restorecon -v ${plugin_path}/${plugin_name}
if [ $? -eq 0 ]; then
echo "Successfully applied SELinux contexts on ${plugin_path}/${plugin_name}"
diff --git a/packages/stable/scripts/rpm/postinstall.sh b/packages/stable/scripts/rpm/postinstall.sh
index 9c2515f..607485f 100644
--- a/packages/stable/scripts/rpm/postinstall.sh
+++ b/packages/stable/scripts/rpm/postinstall.sh
@@ -32,12 +32,7 @@ if [ -f "${plugin_path}/${plugin_name}" ]; then
else
# SELinux is enabled. Set context.
echo -e "\nApplying SELinux contexts on ${plugin_path}/${plugin_name} ..."
- chcon \
- --verbose \
- -t nagios_unconfined_plugin_exec_t \
- -u system_u \
- -r object_r \
- ${plugin_path}/${plugin_name}
+ restorecon -v ${plugin_path}/${plugin_name}
if [ $? -eq 0 ]; then
echo "Successfully applied SELinux contexts on ${plugin_path}/${plugin_name}"
```
[x] atc0005/bounce
[x] atc0005/brick
[x] atc0005/bridge
[x] atc0005/check-cert
[x] atc0005/check-illiad
[x] atc0005/check-mail
[x] atc0005/check-ntpt
[x] atc0005/check-path
[x] atc0005/check-process
[x] atc0005/check-restart
[x] atc0005/check-rsat
[x] atc0005/check-ssh
[x] atc0005/check-statuspage
[x] atc0005/check-vmware
[x] atc0005/check-whois
[x] atc0005/dnsc
[x] atc0005/elbow
[x] atc0005/go-ci
[x] atc0005/go-lockss
[x] atc0005/mysql2sqlite
[x] atc0005/nagios-debug
[x] atc0005/query-meta
[x] atc0005/safelinks
[x] atc0005/send2teams
[x] atc0005/tsm-pass
References
Examples of prior/related work from the atc0005/check-cert project:
Overview
The existing logic used by the
postinstall.shscripts in the stable, dev packages is based on explicitly setting a very specific set of SELinux details. Those details were gathered by observation on a few test systems and may not apply to all systems where the RPM packages are installed. Currently those details are set explicitly using thechconutility.Instead, we should probably allow the SELinux values to be inherited from the parent directory where the plugins are installed by using the
restoreconutility.TODO
The changes I'm looking to make across projects currently generating packages:
Intended changes
```diff diff --git a/packages/dev/scripts/rpm/postinstall.sh b/packages/dev/scripts/rpm/postinstall.sh index 7d9a69e..3a87f53 100644 --- a/packages/dev/scripts/rpm/postinstall.sh +++ b/packages/dev/scripts/rpm/postinstall.sh @@ -32,12 +32,7 @@ if [ -f "${plugin_path}/${plugin_name}" ]; then else # SELinux is enabled. Set context. echo -e "\nApplying SELinux contexts on ${plugin_path}/${plugin_name} ..." - chcon \ - --verbose \ - -t nagios_unconfined_plugin_exec_t \ - -u system_u \ - -r object_r \ - ${plugin_path}/${plugin_name} + restorecon -v ${plugin_path}/${plugin_name} if [ $? -eq 0 ]; then echo "Successfully applied SELinux contexts on ${plugin_path}/${plugin_name}" diff --git a/packages/stable/scripts/rpm/postinstall.sh b/packages/stable/scripts/rpm/postinstall.sh index 9c2515f..607485f 100644 --- a/packages/stable/scripts/rpm/postinstall.sh +++ b/packages/stable/scripts/rpm/postinstall.sh @@ -32,12 +32,7 @@ if [ -f "${plugin_path}/${plugin_name}" ]; then else # SELinux is enabled. Set context. echo -e "\nApplying SELinux contexts on ${plugin_path}/${plugin_name} ..." - chcon \ - --verbose \ - -t nagios_unconfined_plugin_exec_t \ - -u system_u \ - -r object_r \ - ${plugin_path}/${plugin_name} + restorecon -v ${plugin_path}/${plugin_name} if [ $? -eq 0 ]; then echo "Successfully applied SELinux contexts on ${plugin_path}/${plugin_name}" ```References
Examples of prior/related work from the atc0005/check-cert project:
Example of intended changes:
Additional reading: