On Tuesday 21 April 2009 13:25:52 you wrote:
On 04/21/2009 07:31 AM, Tony Molloy wrote:
> Hi,
>
> If I have a top level non default directory say for argument called
> /data. This directory contains various scripts and text files which
> should be available to everyone. Now when I do an install it gets the
> default selinux context file_t. But this generates lots of AVC's if I set
> selinux to enforcing. What should I label this directory as.
>
> Regards,
>
> Tony
You should never get a file/directory labeled file_t. These should only
be able to be created on machines without SELInux. file_t means no
label at all. If you run restorecon on /data it will get assigned
default_t.
restorecon -R -v /data
These were old partitions left over from previous installs. The restorecon
changed them to default_t. So that worked.
This label should be available to the unconfined user and not available
to any confined domain. That will probably fix most of your avc's If
you wanted to label it like a home directory you could set it's labeling
to user_home_t.
# semanage fcontext -a -t user_home_t '/data(/.*)?'
# restorecon -R -v /data
This would allow all confined domains that have access to the home
directory access to these files. If you want to give access to apache,
you might need to assign a different context.
The situation is I have a partition on all my servers called /archive which
survives re-installs.
This contains several directories for eg.
/archive/extra-software for extra software to be installed on the server
after a re-install
/archive/gpg-keys the gpg-keys to be installed
/archive/server-config-script A script to be run after an install to
configure the server
Now this script needs to be able to write to /archive to log what it did.
So I was wondering if there was a context which should be used for this type
of situation. I suppose I could label it as a home directory.
Thanks,
Tony
--
Dept. of Comp. Sci.
University of Limerick.