Advice needed for packaging local SELinux policy
John Florian
john.florian at dart.biz
Tue Jul 22 17:42:38 UTC 2014
I have a locally maintained package for private use that among other things constrains proliferation of files in the following directory:
# ls -lZd /var/lib/puppet/reports/
drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/reports/
My rpm contains a script that uses the tmpwatch tool to do some of the work and is called by cron and ran as the puppet user. Using the standard selinux-policy-targeted, I get this AVC (and perhaps others):
type=AVC msg=audit(1405588621.722:37432): avc: denied { read } for pid=15113 comm="tmpwatch" name="puppet" dev="vda3" ino=260273 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
I could change the job to run as root and am familiar with using audit2allow to make a local policy exception. However, I'd like to resolve the issue via my rpm directly. I've not been successful in finding any guidelines in how to best approach that task. Do I package a bit of SEL policy or is there a way to have my script run with the puppet_var_lib_t context?
--
John Florian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140722/bef16b4c/attachment.html>
More information about the devel
mailing list