How to properly setup my domains security contexts in the domain.fc file?
Jayson Hurst
swazup at hotmail.com
Fri Feb 14 01:30:05 UTC 2014
I have a file context installed as follows:
# semanage fcontext -l | grep vasd
/etc/rc.d/init.d/vasd regular file system_u:object_r:vasd_initrc_exec_t:s0
/opt/quest/sbin/vasd regular file system_u:object_r:vasd_exec_t:s0
/var/opt/quest(/.*)? all files system_u:object_r:vasd_var_t:s0
/var/opt/quest/vas/vasd(/.*)? all files system_u:object_r:vasd_var_auth_t:s0
/var/opt/quest/vas/vasd/.vasd.pid regular file system_u:object_r:vasd_var_run_t:s0
After a fresh install I see the following:
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
Why are the files being created under /var/opt/quest/vas/vasd not being labelled correctly as qasd_var_auth_t as the fcontext states?
Is the software installer supposed to force a relabel on a post-install?
After a restart of the daemon I do not see the pid file being labelled correctly:
# /etc/init.d/vasd restart
Stopping vasd: vasd does not appear to be running.
Starting vasd: [ OK ]
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
After forcing a relabel:
# restorecon -F -R /var/opt/quest/vas/vasd/
# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb
I get the files and directory labelled correctly, but not the pid file. I can set a pid transition in the policy but then what is the point of setting a file context in the <domain>.fc for the pid file if it never gets picked up? Apparently I am missing something important here.
Does anyone know a place for good documentation on this subject?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140213/dbad1101/attachment.html>
More information about the selinux
mailing list