Hi, Upgraded FC1->FC2, installed selinux later, running in permissive mode, debugging 'avc: denied' messages. Matlab's license manager, called from an init script writes files in /var/tmp and checks them periodically, including inside a subdirectory /var/tmp/.flexlm, which it creates if necessary. The init script, provided in the Matlab distro, asks you in comments to change the user it runs under to an ordinary user, and the initrc_su_t transition works fine for file creation in /var/tmp, as long as you dont have vestigal files and directories there from before the selinux relabling. I noticed also that other leftovers from rpm build processes were there, still unlabelled after the move to selinux.
I'm wondering if I missed something, or would it be a good idea to have 'fixfiles relable' flush /var/tmp in the same way it does /tmp.
Chris
On Sun, 6 Jun 2004 04:56, chris albert christopher.albert@mcgill.ca wrote:
I'm wondering if I missed something, or would it be a good idea to have 'fixfiles relable' flush /var/tmp in the same way it does /tmp.
It would probably be a good idea. Although /var/tmp is used for more persistent data than /tmp and there would be more risk of something that is considered important getting lost.
I wonder what happens if a regular user creates the matlab directory under /var/tmp as mode 777...
Russell Coker wrote:
I wonder what happens if a regular user creates the matlab directory under /var/tmp as mode 777...
I can su to root, stop the license manager, create the /var/tmp/.flexlm directory as an ordinary user at 777 and then restart the license manager without any selinux errors. It seems that it was just this unlabeled directory after the selinux initialization in /var/tmp/ that was generating avc errors, both for the matlab operations which created and read files in this directory, as well as for tmpwatch.
Chris
selinux@lists.fedoraproject.org