On 06/23/2011 12:27 PM, Dominick Grift wrote: > On 06/23/2011 09:21 PM, Daniel B. Thurman wrote: > > > I am trying to bring kmotion under control of SeLinux, > > so how can I do it? > > > 1) I tried context httpd_exec_t and httpd_t, but neither seems to work, > > so out of the zillions of options which do I use as these files are > > apache > > and python programs. (See log below): > > > semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion' > > semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin' > > semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*' > > > semanage fcontext -d -t httpd_t '/www/kmotion/www/vhosts/kmotion' > semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin' > semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin/*' > > > semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" > semanage fcontext -a -t httpd_sys_script_exec_t > "/www/kmotion/www/www/cgi_bin(/.*)?" > > restorecon -R -v -F /www > > I think that should do it Almost worked! I had to add to do: semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/apache_logs(/.*)?" restorecon -R -v -F /www And I was able to start httpd running on system reboot. However, while kmotion was running and doing things, I had to add: semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/image_dbase(/.*)?" semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/mutex/www_rc" restorecon -R -v -F /www But I ran into a tough nut to crack, setroubleshooter was complaining: + SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files last_jpeg. + SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files event. These files are located in: /dev/shm/kmotion_ramdisk areas, so I added: semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/ and yet, the odd-ball here is that all the files in this directory shows context as: restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0 restorecon reset /dev/shm/kmotion_ramdisk/events context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0 Look carefully ==> _rw_ <== is put into the wrong position! I could test this using chcon and the results are the same. Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'! I tried: chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position) I also tried to see if I get a different result as if _rw_ would be swapped: chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position) How do I fix this? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
