On Mon, 2009-02-09 at 09:22 -0500, Steve wrote:
> type=AVC msg=audit(1233933351.918:23): avc: denied { write } for
> pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0
> ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
There are some ways to do this, one of which you already mentioned:
setenforce 0/1
Another way is "permissive domains": semanage permissive -a/-d dhcpc_t
Yet another way to allow *this explicit* access is to let audit2allow
create a quick policy and install that: echo "type=AVC
msg=audit(1233933351.918:23): avc: denied { write } for pid=3311
comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file" | audit2allow -M
mydhcpc; sudo semodule -i/-r mydhcpc.pp
And the *proper* way to allow this is to create a custom module for this
access:
mkdir ~/mydhcpc; cd ~/mydhcpc;
echo "policy_module(mydhcpc, 0.0.1)" > mydhcpc.te;
echo "require { type dhcpc_t; }" >> mydhcpc.te;
echo "type dhcpc_var_log_t;" >> mydhcpc.te;
echo "logging_log_file(dhcpc_var_log_t)" >> mydhcpc.te;
echo "allow dhcpc_t dhcpc_var_log_t:file manage_files_pattern;" >>
mydhcpc.te;
echo "logging_log_filetrans(dhcpc_t, dhcpc_var_log_t, file)" >>
mydhcpc.te;
echo "/var/log/dhclient.log --
gen_context(system_u:object_r:dhcpc_var_log_t, s0)" > mydhcpc.fc;
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i mydhcpc.pp
sudo restorecon -v /var/log/dhclient.log
(sudo semodule -r mydhcpc.pp to uninstall)
caution: mind the line breaks.
disclaimer: examples may have syntax errors or typo's.
hth, Dominick
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
