Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
3.15. Software Collection SELinux Support
Because Software Collections are designed to install the Software Collection packages in an alternate directory, set up the necessary SELinux labels so that SELinux is aware of the alternate directory.
If the file system hierarchy of your Software Collection package imitates the file system hierarchy of the corresponding conventional package, you can run the
semanage fcontext and restorecon commands to set up the SELinux labels.
For example, if the
/opt/provider/software_collection_1/root/usr/ directory in your Software Collection package imitates the /usr/ directory of your conventional package, set up the SELinux labels as follows:
semanage fcontext -a -e /usr /opt/provider/software_collection_1/root/usr
semanage fcontext -a -e /usr /opt/provider/software_collection_1/root/usrrestorecon -R -v /opt/provider/software_collection_1/root/usr
restorecon -R -v /opt/provider/software_collection_1/root/usr
The commands above ensure that all directories and files in the
/opt/provider/software_collection_1/root/usr/ directory are labeled by SELinux as if they were located in the /usr/ directory.
3.15.1. SELinux Support in Red Hat Enterprise Linux 7
링크 복사링크가 클립보드에 복사되었습니다!
When packaging a Software Collection for Red Hat Enterprise Linux 7, add the following commands to the
%post section in the Software Collection metapackage to set up the SELinux labels:
semanage fcontext -a -e /usr /opt/provider/software_collection_1/root/usr
semanage fcontext -a -e /usr /opt/provider/software_collection_1/root/usrrestorecon -R -v /opt/provider/software_collection_1/root/usr
restorecon -R -v /opt/provider/software_collection_1/root/usrselinuxenabled && load_policy || :
selinuxenabled && load_policy || :
The last command ensures that the newly created SELinux policy is properly loaded, and that the files installed by a package in the Software Collection are created with the correct SELinux context. By using this command in the metapackage, you do not need to include the
restorecon command in all packages in the Software Collection.
Note that the
semanage fcontext command is provided by the policycoreutils-python package, therefore it is important that you include policycoreutils-python in Requires for the Software Collection metapackage.
Note
The SELinux aspect of starting services has changed significantly in Red Hat Enterprise Linux 7. Most importantly, using the
scl enable ... wrapper in a systemd service file will cause the service to be run as an unconfined process using the unconfined_service_t context. As this context has no transition rules by design, the service will not be able to transition into the target SELinux context indicated by the SELinux policy, which means scl enable ... cannot be used on Red Hat Enterprise Linux 7 if the service being started is supposed to be confined using SELinux.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}