Re: transition from init_rc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all! 

Way back in May I wrote to the list and got some, but not all, of the problems
fixed in my policy. This project was on the back-burner mostly working for a
while but now I need to get it perfected.

We use MCS and have an automated process to deploy web application instances to
machines with a separate category per application instance to protect them from
each other. When the application starts the init script does a chcon to set the
category/context. initrc_t is supposedly unconstrained from what I'm reading in
the docs so why is it being prohibited from relabeling?

type=AVC msg=audit(11/09/2015 04:22:43.045:3126812) : avc: denied { relabelto }
for pid=13753 comm=chcon name=tomcat-server.xml dev=dm-0 ino=16900514
scontext=system_u:system_r:initrc_t:s0
tcontext=myapp_u:object_r:myapp_conf_t:s0:c50 tclass=file 

On Tue, May 26, 2015 at 02:04:59AM PDT, Tracy Reed spake thusly:
> #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> #Contraint rule: 
> allow initrc_t default_t:file relabelto;
> 
> #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> #Contraint rule: 
> allow initrc_t myapp_api_t:file relabelto;
> 
> The init script which starts the service relabels the files when the service
> starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
> think they may be applying security categories here. We may have to find a
> different way to approach that.
> 
> But how would I allow this if I wanted to? 
> 
> Similarly:
> 
> #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> #Contraint rule: 
> allow setfiles_t default_t:file relabelfrom;
> 
> #!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
> #Contraint rule: 
> allow setfiles_t myapp_api_t:file relabelfrom;
> 
> etc...
> 
> This is all on CentOS 6.5.

-- 
Tracy Reed

Attachment: pgptPi8kwnQg2.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux