I am having a weird problem writing a policy for a service. The service
needs to set SELinux file contexts, so I've created a rule to allow
this:
allow acme_nss_t cert_t : file { read write create getattr setattr
relabelfrom relabelto open } ;
Despite this, I am still getting this denial:
avc: denied { relabelto } for pid=3561 comm="update-mod-nss"
name="cert8.db" dev="dm-0" ino=50343845
scontext=system_u:system_r:acme_nss_t:s0
tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
Any ideas?
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
