On Fri, 2013-02-08 at 12:58 +0100, Miroslav Grepl wrote: > On 02/08/2013 12:53 PM, Dominick Grift wrote: > > On Fri, 2013-02-08 at 10:55 +0000, Clive Hills wrote: > > > >> which I find confusing as it makes no reference to the /usr/realman or > >> for that matter /usr directories. > >> > >> > >> Please advise what I need to do to have it writeable by this > >> application (which is closed source to which I have no access. > >> > >> > >> Many thanks > >> Clive > >> > > In this case, if i really wanted this app, i would just let useradd > > create that dir once (e.g. run the app in permissive mode the first time > > so that it can create the dir: (setenforce 0; "run the app"; setenforce > > 1) > > > > Basically this should not be allowed for useradd_t in policy. The /usr > > directory is not for user home directories. a more appropriate location > > would probably be /var/lib/realman. > > > > But once the directory is there then SELinux should probably no longer > > have a problem, at least until you remove the app (then userdel will > > probably be trying to remove it and be denied) > > > > Actually this is something to consider for the SELinux devs in the > > future: I do not see a need to run useradd with a domain transition. It > > only causes issiues like these for unconfined users. > Dominick, > do you run without this transition on your system? Basically we want to > move some transitions in F19 from unconfined_t. Nope but in theory it could maybe work. Just let unconfined_t type transition to user_home_dir_t on dirs home_root_t dirs. Otherwise just inherit the type of the parent. There should only be homedirs in /home with the exception of lost+found which we can define a named file transition for. > > > > > >> > >> -- > >> selinux mailing list > >> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
