Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
10 years, 1 month
Re: [PATCH 1/2] iptables (userspace): add secmark match
by Mr Dash Four
Pablo Neira Ayuso wrote:
> On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
>
>> This patch is part of the userspace changes needed for the "secmark" match
>> in iptables.
>>
>
> SELinux already provides the framework to define your network policy
> based on the secmark. I don't see why we need this in iptables.
>
I am not sure what to make of your response above Pablo. The purpose of
the patch isn't to replace what SELinux already provides, but to make
full use of that security framework. Are you questioning the purpose or
usefulness of the patch in general? Elaborate please.
10 years, 5 months
Ye olde "avc granted"
by mark
Hi, folks,
Got a server that's throwing a ton of avc granted, all related to
Matlab. I saw something via google from '06, for a java thing - is
there something I can use to shut this up?
CentOS 5.9, current.
mark
10 years, 6 months
[PATCH 2/2] iptables (kernel): add secmark match
by Mr Dash Four
This patch is part of the kernel changes needed for the "secmark" match
in iptables.
Signed-off-by: Mr Dash Four <mr.dash.four(a)googlemail.com>
---
include/uapi/linux/netfilter/Kbuild | 1 +
include/uapi/linux/netfilter/xt_secmark.h | 24 ++++++
net/netfilter/Kconfig | 10 +++
net/netfilter/Makefile | 1 +
net/netfilter/xt_secmark.c | 117 +++++++++++++++++++++++++++++
5 files changed, 153 insertions(+)
create mode 100644 include/uapi/linux/netfilter/xt_secmark.h
create mode 100644 net/netfilter/xt_secmark.c
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4111577..4884edd 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -69,6 +69,7 @@ header-y += xt_rateest.h
header-y += xt_realm.h
header-y += xt_recent.h
header-y += xt_sctp.h
+header-y += xt_secmark.h
header-y += xt_set.h
header-y += xt_socket.h
header-y += xt_state.h
diff --git a/include/uapi/linux/netfilter/xt_secmark.h b/include/uapi/linux/netfilter/xt_secmark.h
new file mode 100644
index 0000000..c74a35d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_secmark.h
@@ -0,0 +1,24 @@
+#ifndef _XT_SECMARK_MATCH_H
+#define _XT_SECMARK_MATCH_H
+
+#include <linux/types.h>
+
+/*
+ * Header file for iptables xt_secmark match
+ *
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SECCTX_MAX 256
+
+struct xt_secmark_match_info {
+ __u8 mode;
+ __u32 secid;
+ char secctx[SECMARK_SECCTX_MAX];
+};
+
+#endif /* _XT_SECMARK_MATCH_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 56d22ca..d53ea14 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1166,6 +1166,16 @@ config NETFILTER_XT_MATCH_RECENT
Short options are available by using 'iptables -m recent -h'
Official Website: <http://snowman.net/projects/ipt_recent/>
+config NETFILTER_XT_MATCH_SECMARK
+ tristate '"secmark" match support'
+ depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
+ default m if NETFILTER_ADVANCED=n
+ help
+ The SECMARK match allows matching on security marking of network
+ packets, for use with security subsystems.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_SCTP
tristate '"sctp" protocol match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index a1abf87..686c4c3 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -139,6 +139,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_SECMARK) += xt_secmark.o
# ipset
obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_secmark.c b/net/netfilter/xt_secmark.c
new file mode 100644
index 0000000..8837d13
--- /dev/null
+++ b/net/netfilter/xt_secmark.c
@@ -0,0 +1,117 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or any
+ * later at your option) as published by the Free Software Foundation.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/security.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <uapi/linux/netfilter/xt_secmark.h>
+
+MODULE_AUTHOR("Mr Dash Four <mr.dash.four(a)googlemail.com>");
+MODULE_DESCRIPTION("Xtables: security mark match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_secmark");
+MODULE_ALIAS("ip6t_secmark");
+
+static u8 mode;
+
+static bool secmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct xt_secmark_match_info *info = par->targinfo;
+ u32 secmark = 0;
+
+ BUG_ON(info->mode != mode);
+
+ switch (mode) {
+ case SECMARK_MODE_SEL:
+ secmark = info->secid;
+ break;
+ default:
+ BUG();
+ }
+
+ return (skb->secmark != 0 && secmark != 0 && skb->secmark == secmark);
+}
+
+static int checkentry_lsm(struct xt_secmark_match_info *info)
+{
+ int err;
+
+ info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
+ info->secid = 0;
+
+ err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+ &info->secid);
+ if (err) {
+ if (err == -EINVAL)
+ pr_info("invalid security context \'%s\'\n", info->secctx);
+ return err;
+ }
+
+ if (!info->secid) {
+ pr_info("unable to map security context \'%s\'\n", info->secctx);
+ return -ENOENT;
+ }
+
+ return 0;
+}
+
+static int
+secmark_mt_checkentry(const struct xt_mtchk_param *par)
+{
+ struct xt_secmark_match_info *info = par->matchinfo;
+ int err;
+
+ if (mode && mode != info->mode) {
+ pr_info("mode already set to %hu cannot mix with "
+ "rules for mode %hu\n", mode, info->mode);
+ return -EINVAL;
+ }
+
+ switch (info->mode) {
+ case SECMARK_MODE_SEL:
+ break;
+ default:
+ pr_info("invalid mode: %hu\n", info->mode);
+ return -EINVAL;
+ }
+
+ err = checkentry_lsm(info);
+ if (err)
+ return err;
+
+ if (!mode)
+ mode = info->mode;
+ return 0;
+}
+
+static void
+secmark_mt_destroy(const struct xt_mtdtor_param *par) { }
+
+static struct xt_match secmark_mt_reg __read_mostly = {
+ .name = "secmark",
+ .family = NFPROTO_UNSPEC,
+ .checkentry = secmark_mt_checkentry,
+ .match = secmark_mt,
+ .destroy = secmark_mt_destroy,
+ .matchsize = sizeof(struct xt_secmark_match_info),
+ .me = THIS_MODULE,
+};
+
+static int __init secmark_mt_init(void)
+{
+ return xt_register_match(&secmark_mt_reg);
+}
+
+static void __exit secmark_mt_exit(void)
+{
+ xt_unregister_match(&secmark_mt_reg);
+}
+
+module_init(secmark_mt_init);
+module_exit(secmark_mt_exit);
10 years, 6 months
default and new file contexts
by mark
We've got a scratch directory; in it, any user can write. I've gotten
complaints of unlabled, and I found and set them to default_t.
Here's the question: if I use semanage to set one of the user
subdirectories to, say, default_t, and they try to copy a file that
already has a valid context, would that context be changed to default_t,
or would it retain its existing context?
Thanks in advance.
mark
10 years, 6 months
dbus daemon SELinux problem
by Erick Staal
Hi,
After the last update of selinux to 3.11.1-86 the following error
appears in /var/log/messages:
SELinux: Context
unconfined_u:system_r:unconfined_dbusd_t:s0-s0:c0.c1023 would be invalid
if enforcing
Looks like that there is a problem with the selinux config for dbusd.
Can anyone tell how to fix this?
Sincerely, Erick
10 years, 6 months
syslog-ng creates /dev/log in wrong selinux domain causing avc denials
by Daniel Neuberger
All,
We are getting AVC denials like the following:
audit.log:type=AVC msg=audit(1363623746.304:77): avc: denied { write
} for pid=7569 comm="audispd" name="log" dev=tmpfs ino=12139
scontext=system_u:system_r:audisp_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363628993.829:922): avc: denied {
write } for pid=8402 comm="logger" name="log" dev=tmpfs ino=12139
scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363628997.219:952): avc: denied {
write } for pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139
scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363628997.285:955): avc: denied {
write } for pid=8808 comm="dhclient" name="log" dev=tmpfs ino=12139
scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
...
audit.log:type=AVC msg=audit(1363629158.017:1081): avc: denied {
write } for pid=9213 comm="logger" name="log" dev=tmpfs ino=12139
scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363629420.696:1144): avc: denied {
write } for pid=4944 comm="ntpd" name="log" dev=tmpfs ino=12139
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363629420.807:1145): avc: denied {
write } for pid=9700 comm="ntpd" name="log" dev=tmpfs ino=12139
scontext=user_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
audit.log:type=AVC msg=audit(1363634382.869:2143): avc: denied {
write } for pid=9973 comm="groupadd" name="log" dev=tmpfs ino=32837
scontext=user_u:system_r:groupadd_t:s0
tcontext=user_u:object_r:device_t:s0 tclass=sock_file
...
The problem seems to be that syslog-ng is creating /dev/log in the wrong domain:
[root@foo ~]$ ls -Z /dev/log
srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log
[root@foo ~]$ chcon system_u:object_r:devlog_t:s0 /dev/log
[root@foo ~]$ ls -Z /dev/log
srw-rw-rw- root root system_u:object_r:devlog_t:s0 /dev/log
[root@foo ~]$ run_init /etc/init.d/syslog-ng restart
Authenticating foobar.
Password:
Restarting syslog-ng: Stopping syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
[root@foo ~]$ ls -Z /dev/log
srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log
I think this is because the syslog-ng daemon is running in the wrong
domain. It never transitions from the initrc_t domain:
[root@foo log]$ ps -efZ | grep syslog
system_u:system_r:initrc_t:s0 root 4912 1 0 16:20 ?
00:00:00 supervising syslog-ng
system_u:system_r:initrc_t:s0 root 4913 4912 0 16:20 ?
00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
The problem - I think - is that we're using a syslog-ng rpm from the
vendor's website that installs to /opt rather than /usr as the
targeted policy seems to expect meaning the daemon and everything has
the wrong file contexts. I tried fixing this by updating the contexts
based off the settings in the logging.fc file from the policy src.rpm,
but that didn't help:
[root@foo ~]$ chcon system_u:object_r:syslog_conf_t:s0 /opt/syslog-ng/etc/*
[root@foo ~]$ chcon system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/*
[root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
/opt/syslog-ng/var/syslog-ng.persist
[root@foo ~]$ chcon system_u:object_r:syslogd_var_lib_t:s0
/opt/syslog-ng/var/run/*
[root@foo ~]$ run_init /etc/init.d/syslog-ng restart
Authenticating foobar.
Password:
Restarting syslog-ng: Stopping syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
[root@foo ~]$ ls -Z /dev/log
srw-rw-rw- root root user_u:object_r:device_t:s0 /dev/log
[root@foo ~]$ ps -efZ | grep syslog
user_u:system_r:initrc_t:s0 root 6594 1 0 14:35 ?
00:00:00 supervising syslog-ng
user_u:system_r:initrc_t:s0 root 6595 6594 0 14:35 ?
00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps
Restarting after making these changes, didn't help either. At this
point, I'm out of ideas for how to properly fix the problem. I also
tried relabeling the whole system, then applying the above changes and
that didn't help.
FYI, we are running a RHEL 5.5 system, but are using the RHEL 5.7
kernel and selinux rpms including:
libselinux-1.33.4-5.7.el5.i386
libselinux-1.33.4-5.7.el5.x86_64
libselinux-python-1.33.4-5.7.el5.x86_64
libselinux-utils-1.33.4-5.7.el5.x86_64
selinux-policy-2.4.6-316.el5.noarch
selinux-policy-targeted-2.4.6-316.el5.noarch
We're using syslog-ng-3.1.4-1.rhel5.x86_64.rpm from the vendor's
website which installs everything in /opt/syslog-ng rather than the
normal RHEL locations.
Any pointers would be much appreciated. I'm assuming I should be able
to fix this without modifying the policy, but maybe I'm missing
something.
Thanks.
- Daniel
10 years, 6 months
CentOS 6.4 and node.js
by mark
Actually, it could be mongodb, but most likely, since I've just built,
packaged, and installed node.js, I'm getting buried under AVC's. Is there
a policy somewhere for node.js?
10 years, 6 months
Issue with SELinux and BackupPC backup directory at non-standard location
by Jeff Boyce
Greetings -
I have been testing BackupPC for my small office network, with BackupPC
running from its own VM. The backups created by BackupPC are being put on a
seperate mounted LVM partition (/bkupdata), rather than at /var/lib/BackupPC
for the standard installation. I followed the BackupPC documentation for
doing this, and everything was testing fine. I extended the logical volume
and filesystem containing the /bkupdata partition to allow more room for all
the expected backups after testing was completed. When I rebooted after
extending the filesystem, I noticed that SELinux was doing a relabel on the
filesystem. I didn't think anything of it until a few hours later when I
accessed the BackupPC web interface and couldn't see the previous backups.
After a fair amount of research about potential BackupPC specific causes, I
was able to determine that the issue was SELinux related.
1. Everything worked properly (with the non-standard backup location)
before the reboot and SELinux relabel.
2. Temporarily turning SELinux off (setenforce=0), and everything works
again.
3. Turning SELinux on (setenforce=1), and I get errors from BackupPC web
interface
I posted to the BackupPC mailing list yesterday, but have no responses from
anyone with SELinux expertise, so I thought I should take my issue here. So
in summary, here is what I have:
Backups are being stored on separate partition, not standard for BackupPC:
/bkupdata
Standard BackupPC storage location:
/var/lib/BackupPC
SELinux context on standard BackupPC storage location:
[root@bacteria BackupPC]# pwd
/var/lib/BackupPC
[root@bacteria BackupPC]# ls -Z
drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 cpool
drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 pc
drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 pool
drwxr-x---. backuppc backuppc system_u:object_r:var_lib_t:s0 trash
Current SELinux context on my BackupPC storage location:
[root@bacteria bkupdata]# pwd
/bkupdata
[root@bacteria bkupdata]# ls -Z
drwxr-x---. backuppc root system_u:object_r:default_t:s0 cpool
drwx------. root root system_u:object_r:default_t:s0 lost+found
drwxr-x---. backuppc root system_u:object_r:default_t:s0 pc
drwxr-x---. backuppc root system_u:object_r:default_t:s0 pool
drwxr-x---. backuppc root system_u:object_r:default_t:s0 trash
And one of the test clients backup location:
[root@bacteria jab-opti755]# pwd
/bkupdata/pc/jab-opti755
[root@bacteria jab-opti755]# ls -Z
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 0
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 1
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 2
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 3
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 4
drwxr-x---. backuppc backuppc system_u:object_r:default_t:s0 5
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups.old
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 backups.save
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 LOCK
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 LOG.032013
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.0.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.1.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.2.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.3.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.4.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0 XferLOG.5.z
-rw-r-----. backuppc backuppc system_u:object_r:default_t:s0
XferLOG.bad.z.old
In reviewing my SELinux contexts listed above, I noticed that the group
assignment for the directories under /bkupdata is root. I have subsequently
changed them to backuppc, and shutdown the backuppc service, shutdown and
restarted the http service, then restarted the backuppc service. The same
errors persist after this change, so the issue was not just with an
incorrect group setting.
Here is a representative sample of the SELinux audit messages that are
occurring:
----
time->Thu Mar 14 13:35:51 2013
type=SYSCALL msg=audit(1363293351.295:27283): arch=c000003e syscall=2
success=no exit=-13 a0=1437b70 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813
pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1363293351.295:27283): avc: denied { read } for
pid=4379 comm="BackupPC_Admin." name="backups" dev=vdd1 ino=4218673
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
----
time->Thu Mar 14 13:35:51 2013
type=SYSCALL msg=audit(1363293351.292:27282): arch=c000003e syscall=2
success=no exit=-13 a0=1437b10 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813
pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1363293351.292:27282): avc: denied { read } for
pid=4379 comm="BackupPC_Admin." name="LOCK" dev=vdd1 ino=4194307
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
----
time->Thu Mar 14 13:36:01 2013
type=SYSCALL msg=audit(1363293361.526:27285): arch=c000003e syscall=4
success=no exit=-13 a0=1630140 a1=1569130 a2=1569130 a3=21 items=0 ppid=1806
pid=4400 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1363293361.526:27285): avc: denied { getattr } for
pid=4400 comm="BackupPC_Admin." path="/bkupdata/pc/jab-opti755/backups"
dev=vdd1 ino=4218673 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
----
I have read through the RedHat SELinux users guide and understand from this
and looking at the above messages that my target context is probably not
what it should be for this. I am hoping someone can guide me to get this
corrected in a proper way without making a blanket permissive policy. Also
I would like to make sure that if I have to expand my partition again, I
don't want to have to go through the same pain of discovering the problem,
or have it fixed so that the problem doesn't re-occur. If any additional
information is needed please let me know.
Please CC me directly on any replies as I am only subscribed to the daily
digest. Thanks.
Jeff Boyce
Meridian Environmental
www.meridianenv.com
10 years, 6 months
Re: Looking for links: passenger & selinux
by mark
Miroslav wrote:
> m.roth(a)5-cent.us wrote:
>>> Gag. I hate passenger...
>>
>>> This is CentOS 6.3
>>
>>> Does someone have a link to info on what selinux passenger context to set
>>> what files to? I see passenger set to lib_t, which I may have done a
>>> while back, but the current policy may be more picky. I've looked at the
>>> passenger_selinux manpage, and it doesn't suggest what they should be.
The
>>> version of ruby my users are on is the old 1.8.7 enterprise, *not*
>>> installed from an rpm, so nothing's correct....
>>
>> Following myself up, a clarification: I've seen pages that say to set all
>> of passenger to httpd_sys_content_t; however, since there's explicitly a
>> passenger_*_t, and I *assume* that it allows it to transition to run
>> things like ps, and status, I'd like to set them *correctly*, rather than
>> as httpd*, and then allow all sorts of things for httpd to do as policy.
> We have passenger fixes in RHEL6.4. Basically you will need to follow
> http://git.fedorahosted.org/cgit/selinux-policy.git/tree/passenger.fc?h=f...
labeling.
Thanks, Miroslav. Here's what (once I thought of it) seems like an obvious
question: is there a way, in selinux, to say "I installed this stuff over
here, not in the usual place (say, from a tarball instead of an rpm), but
I want to label everything correctly, something like
<selinuxrelabel> passenger-policy /opt/ruby/gem/etc?
mark
10 years, 6 months