chaning files with selinux and policy targeted enabled
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 2 22:06:10 UTC 2004
Aleksandar Milivojevic wrote:
> I'm not sure if this is bug in SELinux, or if I'm simply doing
> something wrong (I don't have much experience with SELinux).
>
> I install very basic Fedora Core 3 system using ks.cfg file. From
> %post portion of ks.cfg, I replaced couple of configuration files at
> the end of install process (basically, they all got new inode
> number). One of them is ntp.conf.
>
> Now, every time I want to start ntpd, I'm getting errors from SELinux
> and ntpd is denied access to ntp.conf file.
>
> If I delete ntp.conf file and create new one while the system is
> running, everything seems to be working. Ntpd can read this "new"
> ntp.conf.
>
> It looks as if SELinux remembers the inode of the file across the
> reboots, and uses inode (not file name) to grant or deny access to
> files. So if inode changes while SELinux is not running (for example
> during installation, or when booted in rescue mode from CD I guess),
> it will remember what was the old inode number and block application's
> access to the file based on that (and if some other file is assigned
> (now free) inode number of the old ntp.conf file, SELinux will allow
> application to access it, altough it shouldn't).
>
> Is above paragraph correct? Is that the way SELinux works?
>
> Couple of questions. How to instruct SELinux portion of Linux that
> some inodes had changed outside of its controll, so it should update
> its internal databases? Am I to expect this every time I boot from CD
> in rescue mode and change something?
>
The problem is the file context of the ntp.conf file. If you add
restorecon /etc/ntp.conf you should fix the problem.
Dan
More information about the fedora-list
mailing list