Hi all, In short I'm wondering what the refpolicy way is to let a daemon write into HOME_DIR and how those files---especially the SELinux user part---should be labeled? Currently I have a daemon (systemd service) running under context system_u:system_r:foobar_t:s0 and the policy contains init_daemon_domain(foobar_t, foobar_exec_t) The daemon reads and writes files under HOME_DIR/foobar which are labeled as foobar_rw_t and the policy has the following file context entry: HOME_DIR/foobar(/.*)? gen_context(system_u:object_r:foobar_rw_t,s0) However, newly created files still seem to have a wrong user according to restorecon (the daemon runs under Linux user marge which is assigned to SELinux user user_u): $ restorecon -FRvn /home/marge/foobar Would relabel /home/marge/foobar/baz from system_u:object_r:foobar_rw_t:s0 to user_u:object_r:foobar_rw_t:s0 It looks like as if user_u wins over system_u for files under HOME_DIR. This does not have any effect on the functionality of the daemon, however, it still feels wrong to me. So I'm wondering how to fix this and thought about: 1) Can/Should a daemon run under a different SELinux user than system_u? 2) Another option, which I think is worse, would be to the change the SELinux user from user_u to system_u for Linux user marge under which the daemon runs. 3) A third option would be to keep the users as is, i.e., let the daemon run under system_u and let marge be assigned to user_u, but tweak the policy to keep the file context labels under HOME_DIR with system_u. Any thoughts? (PS: the daemon cannot be reconfigured in order to write into a different directory than HOME_DIR) Cheers, Stefan
