How to properly setup my domains security contexts in the domain.fc file?

Jayson Hurst swazup at hotmail.com
Fri Feb 14 01:30:05 UTC 2014 

I have a file context installed as follows:

# semanage fcontext -l | grep vasd

/etc/rc.d/init.d/vasd                              regular file       system_u:object_r:vasd_initrc_exec_t:s0 
/opt/quest/sbin/vasd                             regular file       system_u:object_r:vasd_exec_t:s0 
/var/opt/quest(/.*)?                               all files             system_u:object_r:vasd_var_t:s0 
/var/opt/quest/vas/vasd(/.*)?                all files             system_u:object_r:vasd_var_auth_t:s0 
/var/opt/quest/vas/vasd/.vasd.pid         regular file       system_u:object_r:vasd_var_run_t:s0 

After a fresh install I see the following:

# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb


Why are the files being created under /var/opt/quest/vas/vasd not being labelled correctly as qasd_var_auth_t as the fcontext states?
Is the software installer supposed to force a relabel on a post-install?

After a restart of the daemon I do not see the pid file being labelled correctly:

# /etc/init.d/vasd restart
Stopping vasd: vasd does not appear to be running.
Starting vasd:                                             [  OK  ]

# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .
drwxr-xr-x. root   root   unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb

After forcing a relabel:

# restorecon -F -R /var/opt/quest/vas/vasd/

# ls -laZ /var/opt/quest/vas/vasd/
drwxr-xr-x. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .
drwxr-xr-x. root   root   unconfined_u:object_r:vasd_var_t:s0 ..
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19574
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576
srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb
-rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb

I get the files and directory labelled correctly, but not the pid file. I can set a pid transition in the policy but then what is the point of setting a file context in the <domain>.fc for the pid file if it never gets picked up?  Apparently I am missing something important here.

Does anyone know a place for good documentation on this subject?





 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140213/dbad1101/attachment.html>

More information about the selinux mailing list