> >>> Hello all,
> >>>
> >>>
> >>>
> >>> If there is a more appropriate forum for this question please let me know:
> >>>
> >>>
> >>>
> >>> I have a system that uses confined users by default and some files
> >>> are managed by a puppet server. When I run (via run_init) the
> >>> puppet startup script, I get the following avc log:
> >>>
> >>>
> >>>
> >>> avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> >>> dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> >>> tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> >>>
> >>> I added "typeattribute puppet_t can_change_object_identity" and
> >>> appropriate "allow" statements to the puppet_t type after reading
> >>> the constraints in the targeted policy. However, it was the category
> >>> "s0:c0.c1023" that was also preventing puppet from relabeling the
> >>> crl.pem file.
> >>>
> >>> I was able to fix this by manually relabeling the file to "s0"
> >>> instead of "s0:c0.c1023". My question is, how *should* I handle this
> >>> so puppet can handle the relabel of the category?
> >>
> >> It requires an appropriate attribute for the mcs or mls constraint
> >> that is blocking access. Which attribute depends on your policy; MCS
> >> in particular has changed a lot over time in Fedora and RHEL. What distro &
> version?
> >>
> >
> > I'm using CentOS / RedHat 6.6, targeted reference policy 24.
>
> So, selinux-policy-3.7.19-260.el6 or thereabouts?
>
Yes, exactly selinux-policy- 3.7.19-260.el6_6.2
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
