On Fri, 2014-01-10 at 11:13 -0500, David Hampton wrote:
/var/run/fwknop(/.*)? --
gen_context(system_u:object_r:fwknopd_var_run_t,s0)
#
# Create (/var)/run/fwknop directory, and manage files within that
# directory.
#
files_create_var_run_dirs(fwknopd_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
The above does not add up:
The file context specification states: label all "single
files" /var/run/fwknop and below type fwknopd_var_run_t
That means that the /var/run/fwknop directory will be reset to var_run_t
if you run restorecon on it (assuming it was created with type
fwknpd_var_run_t as part of your policy governs).
The related rules you added also do not add up because your file
transition rule states: make fwknopd_t create directories in var_run_t
directories with type fwknopd_var_run_t.
Obviously that conflicts with the file context specification which
states that fwknopd_var_run_t only applies to files
Not to mention that fwknopd_t is not allowed to create directories with
type fwknopd_var_run_t (only files)
fwknopd_t is allowed to create var_run_t directories instead but that
conflicts with the filetrans rule
So i would probably change the above to this instead:
/var/run/fwknop(/.*)?
gen_context(system_u:object_r:fwknopd_var_run_t,s0)
manage_dirs_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t)
files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir)
Also do not forget to remove the permissive statement when before you
deploy this solution