Hello All, As it's my first post here, I want to say I'm glad this list exists as I'm pretty sure there are folks who can point me in the right directions, as needed... I've been using unix since the 1970s, so I'm pretty familliar with it, and I've been using Linux - and Red-Hat / Fedora since their early days, too, so in general terms, I'm no novice. However, I've been ignoring SELINUX. When I first tried it, it was a huge disaster and I haven't given it another look, but the time has finally come, primarily because I simply _must_ resolve a problem I strongly suspect is caused by SELINUX, and secondarily because I've got a system that runs on just about everything _but_ selinux and provides compute server (think "grid computing") and sophisticated archival services, and it's to the point where it's time that it work on SELINUX systems, too. So, the more immediate problem: On a Fedora host, a "C" based program that launches all the server functionality (including archiving) has its suid bit set (and gid, too) so it runs as the server installation's owner. It's actually pretty smart by validating its environment hasn't been hacked, etc, and then gets to business. This code has somehow broken during a couple of upgrades of Fedora - I didn't notice it at first because as the developer, I always run it as the development installation's owner and as a fluke apparently others haven't experienced this problem or haven't reported it. Recently, however, someone else went to play with it and it refused. Some simple checks indicated that the SUID bit wasn't being honored. The system has SELINUX installed but disabled - the kernel is 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored but _why?_ ...There's no known (to me!) reason this should fail! Any pointers GREATLY appreciated. The less immediate issue is really a quest for pointers to the most appropriate source packages so I can see how other programs solve similar SELINUX related issues. Ideally, this code can both archive and restore any file on the system. In addition, it currently - ignoring SELINUX for a moment - tracks all meta-data changes - ownership and permissions, the various dates associated with a file, etc, in addition to file data, so it has the handy trait of both providing an audit trail and an ability to restore data or meta-data as needed. As such it needs to be able to discover what the security context details are so it can record them, in addition to the obvious need to update SELINUX security details on a per file basis.... I don't even know how to do that from the command line, much less write a program to do it! ...However, I'm sure somewhere these things have been already addressed, such as with tar, etc. Please point me to what you think are appropriate models / code that can be examined, etc. And, if there's a well written tutorial intended for people who are already "up to speed" on everything but SELINUX, it would be greatly appreciated. Thank you, Richard -- Richard Troy, Chief Scientist Science Tools Corporation 510-717-6942 rtroy@xxxxxxxxxxxxxxxx, http://ScienceTools.com/ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
