Re: SElinux concerning symlink?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stuart Sears wrote:
Todd Denniston wrote:
Stuart

Thanks for the recipe.

you're welcome

if /rootlockeddown/ is on NFS, would the following command do part of
what is needed? (yet more complexity, but then we do have a real world
to live in :)
   setsebool -P use_nfs_home_dirs=1

seems that it might. It basically treats nfs_t the same as user_home_t

/me smiles inwardly at the idea of NFS being described as "locked down"
at all.



There is a project ongoing to bring MAC to NFS.

http://selinuxproject.org/page/Labeled_NFS

Dan Walsh's live journal is a good source of information.

http://danwalsh.livejournal.com/

In particular here is the bit from his journal that deals with semanage:

Thursday, July 3rd, 2008(taken from Dan Walsh's live journal)
2:18 pm 	
File Context problems.
If you want to move files to directories that the current policy does not know about you should use the semanage command to tell the system what to label these files.


# semanage fcontext -a -t httpd_sys_script_exec_t '/myweb/cgi(/.*)?'
# restorecon -R -v /myweb/cgi

Semanage is a good tool for this, since it sets up the machine to permanently label these directories with this context. If the machine is later relabeled, this directory will continue to be labeled correctly. system-config-selinux also has a graphical mechanism to do this.

Note:
This is preferred over using chcon, since chcon might not survive a relabel.

If you do this labeling and the policy is updated later on with the same or slightly different context, you can have problems. I have also seen packages shipping with semanage commands in their post install to set the file context.

You can end up seeing statements like:

/etc/selinux/targeted/contexts/files/file_contexts: Multiple
different specifications for /var/lib/awstats(/.*)?
(system_u:object_r:httpd_sys_script_rw_t:s0 and
system_u:object_r:awstats_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple
different specifications for /usr/share/awstats/wwwroot/cgi-
bin(/.*)?  (system_u:object_r:httpd_sys_script_exec_t:s0 and
system_u:object_r:httpd_awstats_script_exec_t:s0).

When restorecon, rpm, matchpathcon, setfiles or any other tools that reads the systems file context sees a conflict they put out this message.

You can remove the conflict by using semange

# semanage fcontext -d '/var/lib/awstats(/.*)?'

One handy qualifier available at least in semanage on Fedora 9

# semanage fcontext -l -C
SELinux fcontext type Context

/etc/glpi(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/log/glpi(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/lib/glpi(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /dev/mapper/Volumes-OldWindowsBackup all files system_u:object_r:virt_image_t:s0

This command lists all the local customizations that have been made to your system. This shows that on my system the glpi program must have setup special labeling and I labeled an virtual image in /dev/mapper.

You can see similar functionality in system-config-selinux by selecting the "File Labeling" list item and then clicking on the "Customized" button.


End excerpt.

Later,

Max

--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux