On 02/13/2014 08:30 PM, Jayson Hurst wrote: > I have a file context installed as follows: > > # semanage fcontext -l | grep vasd > > /etc/rc.d/init.d/vasd regular file > system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular file > system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files > system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all files > system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid > regular file system_u:object_r:vasd_var_run_t:s0 > > After a fresh install I see the following: > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root > unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root root > unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb > > > Why are the files being created under /var/opt/quest/vas/vasd not being > labelled correctly as qasd_var_auth_t as the fcontext states? Is the > software installer supposed to force a relabel on a post-install? > > After a restart of the daemon I do not see the pid file being labelled > correctly: > > # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be > running. Starting vasd: [ OK > ] > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon > unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon > daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. daemon > daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. > daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb > > After forcing a relabel: > > # restorecon -F -R /var/opt/quest/vas/vasd/ > > # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root > unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 srwxrwxrwx. daemon daemon > system_u:object_r:vasd_var_auth_t:s0 .vasd40_ipc_sock -rw-r--r--. daemon > daemon system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon > daemon system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. > daemon daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb > > I get the files and directory labelled correctly, but not the pid file. I > can set a pid transition in the policy but then what is the point of > setting a file context in the <domain>.fc for the pid file if it never > gets picked up? Apparently I am missing something important here. > > Does anyone know a place for good documentation on this subject? > > > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > If RPM puts the files on disk and then installs your policy in post install, it will not fix the labels. You could create an vasd-selinux.rpm and require this to be installed before the vasd.rpm is installed. In that case the rpm should do the right thing, at least on Fedora/RHEL7. Not sure about RHEL6. Otherwise you can just run restorecon in the post install. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
