Correct way to handle SELinux for a systemd-started SSH VPN
by Chris Adams
I am starting an SSH VPN connection with a systemd service. It's just a
simple service, with an ExecStart to run ssh. If I wrap it with a shell
(ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the
shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not
allowing it. If I set permissive mode, there's a whole lot of different
things that init_t is not allowed to do. :)
So obviously I can just run with the shell wrapper, but is there a more
proper way to do this?
--
Chris Adams <linux(a)cmadams.net>
1 year, 3 months
Docker Container files MCS labelling not being implemented in Fedora
32
by Aswad Tariq
In Docker version 20.10.7, build f0df350 and with SE-Linux enabled and set to enforcing mode with policy as targeted the MCS labels should be applied to containers and their files by default. I should see user:role:type:s0:c1,c34 for example but instead the category labels are not applied and I see user:role:type:s0 for files inside the container when running ls -lZ or in audit records.
The version of Fedora is 32 with kernel version 5.6.6-300.fc32.x86_64. This would be simpler if the labels were not being applied to podman containers but when making files in podman containers the category labels are being set and working fine. Any idea as to what could be the issue.
Thanks!
1 year, 4 months
Allow file access to two different domains
by Gionatan Danti
Hi all,
as one file/dir can have one and only one selinux label, I wonder if/how
one can allow processes from different domains to access the same
files/dirs.
I know that for specific executable and directory one can use the
appropriate bools, for example samba_enable_home_dirs enables smbd to
read/write home_root_t types. I also know that one can create and load a
custom policy to allow the required access.
However, I wonder if an easier approach exists to let processes with
different domains to access the same set of files or directories.
Any clue?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
1 year, 4 months