On Fri, 2014-01-10 at 11:13 -0500, David Hampton wrote: > /var/run/fwknop(/.*)? -- > gen_context(system_u:object_r:fwknopd_var_run_t,s0) > # > # Create (/var)/run/fwknop directory, and manage files within that > # directory. > # > files_create_var_run_dirs(fwknopd_t) > files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir) > manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t) The above does not add up: The file context specification states: label all "single files" /var/run/fwknop and below type fwknopd_var_run_t That means that the /var/run/fwknop directory will be reset to var_run_t if you run restorecon on it (assuming it was created with type fwknpd_var_run_t as part of your policy governs). The related rules you added also do not add up because your file transition rule states: make fwknopd_t create directories in var_run_t directories with type fwknopd_var_run_t. Obviously that conflicts with the file context specification which states that fwknopd_var_run_t only applies to files Not to mention that fwknopd_t is not allowed to create directories with type fwknopd_var_run_t (only files) fwknopd_t is allowed to create var_run_t directories instead but that conflicts with the filetrans rule So i would probably change the above to this instead: /var/run/fwknop(/.*)? gen_context(system_u:object_r:fwknopd_var_run_t,s0) manage_dirs_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t) manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t) files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir) Also do not forget to remove the permissive statement when before you deploy this solution -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
