Advice needed for packaging local SELinux policy

Daniel J Walsh dwalsh at redhat.com
Tue Jul 22 18:11:35 UTC 2014


On 07/22/2014 01:42 PM, John Florian wrote:
>
> I have a locally maintained package for private use that among other
> things constrains proliferation of files in the following directory:
>
>  
>
> # ls -lZd /var/lib/puppet/reports/
>
> drwxr-x---. puppet puppet system_u:object_r:puppet_var_lib_t:s0
> /var/lib/puppet/reports/
>
>  
>
> My rpm contains a script that uses the tmpwatch tool to do some of the
> work and is called by cron and ran as the puppet user.  Using the
> standard selinux-policy-targeted, I get this AVC (and perhaps others):
>
>  
>
> type=AVC msg=audit(1405588621.722:37432): avc:  denied  { read } for 
> pid=15113 comm="tmpwatch" name="puppet" dev="vda3" ino=260273
> scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
>
>  
>
> I could change the job to run as root and am familiar with using
> audit2allow to make a local policy exception.  However, I’d like to
> resolve the issue via my rpm directly.  I’ve not been successful in
> finding any guidelines in how to best approach that task.  Do I
> package a bit of SEL policy or is there a way to have my script run
> with the puppet_var_lib_t context?
>
> --
>
> John Florian
>
>  
>
>
>
Then you should add a custom policy to allow tmpreaper_t to manage
puppet_var_lib_t.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140722/dba9ba2d/attachment.html>


More information about the devel mailing list