Thu, Nov 29, 2012 at 01:01:41PM CET, rpazdera(a)redhat.com wrote:
I am looking into the problems we're having with selinux. And it's not
going well ...
Compiling and installing additional selinux policies in RPMs is *REALLY*
obscure (in my opinion). The problem is that tcpdump doesn't have the
right context to write to /var/log. We would have to allow it by
creating a policy derived from netutils_t and var_log_t (I am not even
sure I understand it properly at the moment).
I have seen some API for changing contexts of processes. Unfortunately,
it is C and python bindings are not included in Fedora.
I think that the best option for us is to just store the dump files
elsewhere. When I thought about it there are multiple reasons for this.
1. Problems with SELinux
2. The pcap dumps have a potential to grow very rapidly. At the moment,
we don't do any cleanup of the logs at all. Permanently storing such a
big files on slave machines in a seriously used pool would lead to a
full disk after a while anyway.
I think it will be better to write them to /tmp on slaves and discard
them when the recipe is over and they've been transfered to the
Acked-by: Jiri Pirko <jpirko(a)redhat.com>
What do you think?
LNST-developers mailing list