[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: chaning files with selinux and policy targeted enabled

Aleksandar Milivojevic wrote:

I'm not sure if this is bug in SELinux, or if I'm simply doing something wrong (I don't have much experience with SELinux).

I install very basic Fedora Core 3 system using ks.cfg file. From %post portion of ks.cfg, I replaced couple of configuration files at the end of install process (basically, they all got new inode number). One of them is ntp.conf.

Now, every time I want to start ntpd, I'm getting errors from SELinux and ntpd is denied access to ntp.conf file.

If I delete ntp.conf file and create new one while the system is running, everything seems to be working. Ntpd can read this "new" ntp.conf.

It looks as if SELinux remembers the inode of the file across the reboots, and uses inode (not file name) to grant or deny access to files. So if inode changes while SELinux is not running (for example during installation, or when booted in rescue mode from CD I guess), it will remember what was the old inode number and block application's access to the file based on that (and if some other file is assigned (now free) inode number of the old ntp.conf file, SELinux will allow application to access it, altough it shouldn't).

Is above paragraph correct? Is that the way SELinux works?

Couple of questions. How to instruct SELinux portion of Linux that some inodes had changed outside of its controll, so it should update its internal databases? Am I to expect this every time I boot from CD in rescue mode and change something?

The problem is the file context of the ntp.conf file. If you add restorecon /etc/ntp.conf you should fix the problem.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]