Re: label
Henry Zhang a écrit :
Casper:
For example, I have a denied message in audit.log:
type=AVC msg=audit(1676313787.584:376): avc: denied { read write } for pid=17799
comm="run_at_daemon" path="socket:[54386]" dev="sockfs"
ino=54386 scontext=system_u:system_r:run_at_csq_daemon_t:s0
tcontext=system_u:system_r:rssi_daemon_t:s0 tclass=tcp_socket permissive=0
how to apply restorecon?
Well this is a TCP socket... not unix file.
For TCP socket, opened at boot or later, label is always good, because
a TCP socket is not persistent.
If you think the "label" ("SELinux context" in this case) of the TCP
socket is not good, you can customize the policy of contexts applied
on opened ports with the semanage command.
For example, I allow port 18000 to have the http_port_t context on my
machine:
semanage port -a -t http_port_t -p tcp 18000
More infos:
man semanage
In your message, your TCP socket got run_at_csq_daemon_t context, but
rssi_daemon_t context is not allowed to access, then SELinux is
blocking access (read write).
--
GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org
CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
Jabber/XMPP Messaging: casper(a)casperlefantom.net
Attachments:
- signature.asc (application/pgp-signature — 870 bytes)