----- Original Message ----- > From: "Stephen Smalley" <sds@xxxxxxxxxxxxx> > To: "Jeff Boyce" <jboyce@xxxxxxxxxxxxxxx>, "SELinux Fedora List" <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, July 14, 2015 1:41:22 PM > Subject: Re: How to (or should I?) change unconfined_u to system_u for a file > > On 07/14/2015 01:04 PM, Jeff Boyce wrote: > > Greetings - > > > > I essentially have two questions here. First, I have a file that > > needs the context changed and I don't have a clear understanding of the > > proper syntax that should be used. Second, after doing some additional > > reading through the SELinux manual and some Google searching, I realized > > that I may be taking the wrong approach with this file. Then I ran > > across Dan Walsh's blog dated April 23, 2013 (Subject: What is the > > differences between user_home_dir_t and user_home_t) and realize that I > > am likely not doing something the appropriate way. So I am looking for > > someone to educate me on my error, the risks involved, and the proper > > approach I should be using. > > > > The issue: I have two shell files run by cron that rsync our file > > server directories to two backup servers, one on-site (Bison) and one > > off-site. The on-site cron has worked fine for years. I just setup the > > off-site cron and it is blocked by SELinux. Looking at the context of > > the files, the one that works is listed as system_u, while the one that > > fails is listed as unconfined_u. So my first question is, what is the > > proper syntax for changing the context of the second file so that it > > matches the first one. > > > > [root@sequoia home]# pwd > > /home > > [root@sequoia home]# ls -lZ | grep RsyncS > > -rwxr--r--. root root system_u:object_r:home_root_t:s0 > > RsyncSequoiaToBison.sh > > -rwxr--r--. root root unconfined_u:object_r:home_root_t:s0 > > RsyncSequoiaToOffsite.sh > > chcon --reference=RsyncSequoiaToBison.sh RsyncSequoiaToOffsite.sh > > > Looking from a wider perspective, I have these shell files located in > > /home. I am speculating now that for my objective, this might not be > > the appropriate location for them, and is probably why SELinux is > > blocking the new one I created for the off-site backup. So my second > > question is more philosophical regarding what should be the location for > > a shell file that is used by cron to rsync our files to a backup server. > > What AVCs do you show for the new file? > > Thanks, and please cc me directly as I only receive the daily digest > > from the mailing list. > > > > Jeff > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Simon Sekidde * Red Hat, Inc. * Westford, MA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
