I think I'm really close to having this policy finished and working, just a couple things to work out... When I exercise my app and then run audit2allow and it says: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow myapp_t default_t:dir search; allow myapp_t default_t:dir read; allow myapp_t default_t:file execmod; allow myapp_t myapp_bin_t:file write; does it mean only the first line is an constraint violation? Or are all of those constraint violations? How does one typically deal with constraint violations? By attribute above I suppose it means a type attribue but how do I know which one to add? Then I have these: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t default_t:file relabelto; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t myapp_api_t:file relabelto; The init script which starts the service relabels the files when the service starts. I suspect this is a bad idea and I'm not sure why they are doing it. I think they may be applying security categories here. We may have to find a different way to approach that. But how would I allow this if I wanted to? Similarly: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t default_t:file relabelfrom; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t myapp_api_t:file relabelfrom; etc... This is all on CentOS 6.5. Thanks! -- Tracy Reed -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
