----- Original Message -----
From: "Stephen Smalley" <sds(a)tycho.nsa.gov>
To: "Jeff Boyce" <jboyce(a)meridianenv.com>, "SELinux Fedora
List" <selinux(a)lists.fedoraproject.org>
Sent: Tuesday, July 14, 2015 1:41:22 PM
Subject: Re: How to (or should I?) change unconfined_u to system_u for a file
On 07/14/2015 01:04 PM, Jeff Boyce wrote:
> Greetings -
>
> I essentially have two questions here. First, I have a file that
> needs the context changed and I don't have a clear understanding of the
> proper syntax that should be used. Second, after doing some additional
> reading through the SELinux manual and some Google searching, I realized
> that I may be taking the wrong approach with this file. Then I ran
> across Dan Walsh's blog dated April 23, 2013 (Subject: What is the
> differences between user_home_dir_t and user_home_t) and realize that I
> am likely not doing something the appropriate way. So I am looking for
> someone to educate me on my error, the risks involved, and the proper
> approach I should be using.
>
> The issue: I have two shell files run by cron that rsync our file
> server directories to two backup servers, one on-site (Bison) and one
> off-site. The on-site cron has worked fine for years. I just setup the
> off-site cron and it is blocked by SELinux. Looking at the context of
> the files, the one that works is listed as system_u, while the one that
> fails is listed as unconfined_u. So my first question is, what is the
> proper syntax for changing the context of the second file so that it
> matches the first one.
>
> [root@sequoia home]# pwd
> /home
> [root@sequoia home]# ls -lZ | grep RsyncS
> -rwxr--r--. root root system_u:object_r:home_root_t:s0
> RsyncSequoiaToBison.sh
> -rwxr--r--. root root unconfined_u:object_r:home_root_t:s0
> RsyncSequoiaToOffsite.sh
chcon --reference=RsyncSequoiaToBison.sh RsyncSequoiaToOffsite.sh
> Looking from a wider perspective, I have these shell files located in
> /home. I am speculating now that for my objective, this might not be
> the appropriate location for them, and is probably why SELinux is
> blocking the new one I created for the off-site backup. So my second
> question is more philosophical regarding what should be the location for
> a shell file that is used by cron to rsync our files to a backup server.
>
What AVCs do you show for the new file?
> Thanks, and please cc me directly as I only receive the
daily digest
> from the mailing list.
>
> Jeff
>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Simon Sekidde * Red Hat, Inc. * Westford, MA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E