On 06/23/2011 12:27 PM, Dominick Grift wrote:
On 06/23/2011 09:21 PM, Daniel B. Thurman wrote:
> I am trying to bring kmotion under control of SeLinux,
> so how can I do it?
> 1) I tried context httpd_exec_t and httpd_t, but neither seems to work,
> so out of the zillions of options which do I use as these files are
> apache
> and python programs. (See log below):
> semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion'
> semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin'
> semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -d -t httpd_t '/www/kmotion/www/vhosts/kmotion'
semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin'
semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t
"/www/kmotion/www/www/cgi_bin(/.*)?"
restorecon -R -v -F /www
I think that should do it
Almost worked! I had to add to do:
semanage fcontext -a -t httpd_sys_content_rw_t
"/www/kmotion/www/apache_logs(/.*)?"
restorecon -R -v -F /www
And I was able to start httpd running on system reboot.
However, while kmotion was running and doing things, I had to add:
semanage fcontext -a -t httpd_sys_content_rw_t
"/www/kmotion/www/image_dbase(/.*)?"
semanage fcontext -a -t httpd_sys_content_rw_t
"/www/kmotion/www/mutex/www_rc"
restorecon -R -v -F /www
But I ran into a tough nut to crack, setroubleshooter was complaining:
+ SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files last_jpeg.
+ SELinux is preventing /usr/sbin/httpd from using potentially
mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t
"/dev/shm/kmotion_ramdisk(/.*)?"
restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows
context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context
system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/shm/kmotion_ramdisk/events context
system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in
/dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys'
instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in
the wrong position)
I also tried to see if I get a different result as if _rw_ would be swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is
still in the wrong position)
How do I fix this?