On 05/26/2015 05:05 AM, Tracy Reed wrote: > I think I'm really close to having this policy finished and working, just a > couple things to work out... > > When I exercise my app and then run audit2allow and it says: > > #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. > #Contraint rule: > allow myapp_t default_t:dir search; > allow myapp_t default_t:dir read; > allow myapp_t default_t:file execmod; > allow myapp_t myapp_bin_t:file write; > > does it mean only the first line is an constraint violation? Or are all of > those constraint violations? > > How does one typically deal with constraint violations? By attribute above I > suppose it means a type attribue but how do I know which one to add? > > Then I have these: > > #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. > #Contraint rule: > allow initrc_t default_t:file relabelto; > > #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. > #Contraint rule: > allow initrc_t myapp_api_t:file relabelto; > > The init script which starts the service relabels the files when the service > starts. I suspect this is a bad idea and I'm not sure why they are doing it. I > think they may be applying security categories here. We may have to find a > different way to approach that. > > But how would I allow this if I wanted to? > > Similarly: > > #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. > #Contraint rule: > allow setfiles_t default_t:file relabelfrom; > > #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. > #Contraint rule: > allow setfiles_t myapp_api_t:file relabelfrom; > > etc... > > This is all on CentOS 6.5. > > Thanks! > The latest audit2allow gives you a little more information, when you get a constraint violation you usually need to add an attribute to the calling process type, to say it is ok to do the operation. Usually it is related to the MLS/MCS Levels being different or changing the SELinux user component of a label. If you attached the actual AVC message we might be able to diagnose the problem. Having restorecon in an initscript is not unusual. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
