On 27/11/2017 19:47, Stephen Smalley wrote:
I prefer bind mounts (along with file context equivalence to ensure
that the source directory is correctly labeled), but there are
tradeoffs of course.
WRT to the impact on SELinux policy, this perhaps points to an
unnecessary fragility in policy that could be addressed through better
macros/interfaces.
Hi all,
I bump this old thread because I have troubles relocating MongoDB due to
its selinux policy dening symlink access.
Goal: to relocate /var/lib/mongo to /tank/graylog/var/lib/mongo/ with
minimal alteration to the original selinux policy.
What I did:
semanage fcontext -a -e /var/lib/mongo /tank/graylog/var/lib/mongo
mv /var/lib/mongo /tank/graylog/var/lib/mongo
ln -s /tank/graylog/var/lib/mongo /var/lib/mongo
restorecon /var/lib/mongo
systemctl restart mongod
Result:
MongoDB does not start. Issuing "cat /var/log/audit/audit.log |
audit2allow" show the following error: "allow mongod_t
mongod_var_lib_t:lnk_file read;"
Questions:
- apart from reconfiguring MongoDB to directly point to the new
location, what else I can do (short to create a custom selinux policy)
to allow access to /var/lib/mongo symlink?
- why is lnk_file read denied by default in some policies (ie: MongoDB,
MySQL, libvirt, etc)?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
