-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, Mar 13, 2015 at 05:52:37PM +0000, Higgs, Stephen wrote:
> > On 03/13/2015 09:52 AM, Higgs, Stephen wrote:
> > > Hello all,
> > >
> > >
> > >
> > > If there is a more appropriate forum for this question please let me know:
> > >
> > >
> > >
> > > I have a system that uses confined users by default and some files are
> > > managed by a puppet server. When I run (via run_init) the puppet
> > > startup script, I get the following avc log:
> > >
> > >
> > >
> > > avc: denied { relabelto } for pid=30707 comm="puppet" name="crl.pem"
> > > dev=dm-1 ino=527257 scontext=system_u:system_r:puppet_t:s0
> > > tcontext=system_u:object_r:puppet_var_lib_t:s0:c0.c1023 tclass=file
> > >
> > > I added "typeattribute puppet_t can_change_object_identity" and
> > > appropriate "allow" statements to the puppet_t type after reading the
> > > constraints in the targeted policy. However, it was the category
> > > "s0:c0.c1023" that was also preventing puppet from relabeling the
> > > crl.pem file.
> > >
> > > I was able to fix this by manually relabeling the file to "s0" instead
> > > of "s0:c0.c1023". My question is, how *should* I handle this so puppet
> > > can handle the relabel of the category?
> >
> > It requires an appropriate attribute for the mcs or mls constraint that is
> > blocking access. Which attribute depends on your policy; MCS in particular has
> > changed a lot over time in Fedora and RHEL. What distro & version?
> >
>
> I'm using CentOS / RedHat 6.6, targeted reference policy 24.
I do not see how it makes sense in the first place to relabelto s0:c0.c1023, might as well keep it s0.
Any idea why puppet is trying to relabelto s0:c0.c1023? Is that specified in your puppet configuration?
Also it may not even be constraint issue in the first place ( i doubt that puppet is mcs constrained ).
maybe you just need a rule like allow puppet_t puppet_var_lib_t:file relabelto;
what does audit2hy tell you when you pipe the avc denial into it's input stream?
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJVAyY5AAoJENAR6kfG5xmcQQ4MAMw2osxY36pxWmoDyu7PD6YK
NPjYB9bSU0fErvgVTVsCcjVmTemfSzJO4LitapfZMvzK0Ppe1ArwxQcSrOC+52qf
BvMmiKVnqgwDYmsqEDJBhQqB3iQqqrdKWC0LzyjzTV9Tbop9Aarad7NXJJg3Js9u
btI0AKeaZ8vP9Sn0pJflzqaX+BjEhl0bJjYN9X6CQAWA8AsVopkZcfgpxYAuHw99
NQQxTsXABzH9aqDFdkD+EdgOBz46y9DebOePAW8w+uXuHU8S2abkPx2sVBj4YQO6
/R0kaNx1ltD/7Iq59xgig1Xq1pv1WhYCQkx8LmzAuip9UMl1b6wiBQtGjZFVMFoJ
E/CdA95GF7q3w+NcVhdrDLrKAldmRCsc3Y4j7wA4nQFna7Yys2HzOmn0yeQa224s
55/KyCN0hF39o3mo4zYlEf52wi+0cfNzTvwDpui0uR0uZwkggps8nc/Bno7ZZBLD
QSuu63MTbLCGtb1IKGZLRQAehoPBIYqeg0w6R0M1Lw==
=QarR
-----END PGP SIGNATURE-----
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
