|
I have a file context installed as follows:
# semanage fcontext -l | grep vasd /etc/rc.d/init.d/vasd regular file system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid regular file system_u:object_r:vasd_var_run_t:s0 After a fresh install I see the following: # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb Why are the files being created under /var/opt/quest/vas/vasd not being labelled correctly as qasd_var_auth_t as the fcontext states? Is the software installer supposed to force a relabel on a post-install? After a restart of the daemon I do not see the pid file being labelled correctly: # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be running. Starting vasd: [ OK ] # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb After forcing a relabel: # restorecon -F -R /var/opt/quest/vas/vasd/ # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb I get the files and directory labelled correctly, but not the pid file. I can set a pid transition in the policy but then what is the point of setting a file context in the <domain>.fc for the pid file if it never gets picked up? Apparently I am missing something important here. Does anyone know a place for good documentation on this subject? |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
