How to properly setup my domains security contexts in the domain.fc file?

Daniel J Walsh dwalsh at redhat.com
Fri Feb 14 01:58:08 UTC 2014 

On 02/13/2014 08:30 PM, Jayson Hurst wrote:
> I have a file context installed as follows:
> 
> # semanage fcontext -l | grep vasd
> 
> /etc/rc.d/init.d/vasd                              regular file 
> system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file
> system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files
> system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files
> system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid
> regular file system_u:object_r:vasd_var_run_t:s0
> 
> After a fresh install I see the following:
> 
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root 
> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root 
> unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root 
> unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root 
> unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
> 
> 
> Why are the files being created under /var/opt/quest/vas/vasd not being 
> labelled correctly as qasd_var_auth_t as the fcontext states? Is the 
> software installer supposed to force a relabel on a post-install?
> 
> After a restart of the daemon I do not see the pid file being labelled 
> correctly:
> 
> # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be 
> running. Starting vasd:                                             [  OK 
> ]
> 
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon 
> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root   root 
> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon 
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon 
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon 
> unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon 
> unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon 
> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon 
> daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--.
> daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
> 
> After forcing a relabel:
> 
> # restorecon -F -R /var/opt/quest/vas/vasd/
> 
> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon 
> system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root   root 
> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon 
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon 
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon 
> system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon 
> system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon 
> daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon 
> daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. 
> daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb
> 
> I get the files and directory labelled correctly, but not the pid file. I 
> can set a pid transition in the policy but then what is the point of 
> setting a file context in the <domain>.fc for the pid file if it never
> gets picked up? Apparently I am missing something important here.
> 
> Does anyone know a place for good documentation on this subject?
> 
> 
> 
> 
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
If RPM puts the files on disk and then installs your policy in post install,
it will not fix the labels.

You could create an vasd-selinux.rpm and require this to be installed before
the vasd.rpm is installed.  In that case the rpm should do the right thing, at
least on Fedora/RHEL7.  Not sure about RHEL6.

Otherwise you can just run restorecon in the post install.

More information about the selinux mailing list