On 07/14/2015 01:04 PM, Jeff Boyce wrote: > Greetings - > > I essentially have two questions here. First, I have a file that > needs the context changed and I don't have a clear understanding of the > proper syntax that should be used. Second, after doing some additional > reading through the SELinux manual and some Google searching, I realized > that I may be taking the wrong approach with this file. Then I ran > across Dan Walsh's blog dated April 23, 2013 (Subject: What is the > differences between user_home_dir_t and user_home_t) and realize that I > am likely not doing something the appropriate way. So I am looking for > someone to educate me on my error, the risks involved, and the proper > approach I should be using. > > The issue: I have two shell files run by cron that rsync our file > server directories to two backup servers, one on-site (Bison) and one > off-site. The on-site cron has worked fine for years. I just setup the > off-site cron and it is blocked by SELinux. Looking at the context of > the files, the one that works is listed as system_u, while the one that > fails is listed as unconfined_u. So my first question is, what is the > proper syntax for changing the context of the second file so that it > matches the first one. > > [root@sequoia home]# pwd > /home > [root@sequoia home]# ls -lZ | grep RsyncS > -rwxr--r--. root root system_u:object_r:home_root_t:s0 > RsyncSequoiaToBison.sh > -rwxr--r--. root root unconfined_u:object_r:home_root_t:s0 > RsyncSequoiaToOffsite.sh chcon --reference=RsyncSequoiaToBison.sh RsyncSequoiaToOffsite.sh > Looking from a wider perspective, I have these shell files located in > /home. I am speculating now that for my objective, this might not be > the appropriate location for them, and is probably why SELinux is > blocking the new one I created for the off-site backup. So my second > question is more philosophical regarding what should be the location for > a shell file that is used by cron to rsync our files to a backup server. > > Thanks, and please cc me directly as I only receive the daily digest > from the mailing list. > > Jeff > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
