How to label top level non default dirs
Tony Molloy
tony.molloy at ul.ie
Tue Apr 21 13:43:42 UTC 2009
On Tuesday 21 April 2009 13:25:52 you wrote:
> On 04/21/2009 07:31 AM, Tony Molloy wrote:
> > Hi,
> >
> > If I have a top level non default directory say for argument called
> > /data. This directory contains various scripts and text files which
> > should be available to everyone. Now when I do an install it gets the
> > default selinux context file_t. But this generates lots of AVC's if I set
> > selinux to enforcing. What should I label this directory as.
> >
> > Regards,
> >
> > Tony
>
> You should never get a file/directory labeled file_t. These should only
> be able to be created on machines without SELInux. file_t means no
> label at all. If you run restorecon on /data it will get assigned
> default_t.
>
> restorecon -R -v /data
These were old partitions left over from previous installs. The restorecon
changed them to default_t. So that worked.
>
> This label should be available to the unconfined user and not available
> to any confined domain. That will probably fix most of your avc's If
> you wanted to label it like a home directory you could set it's labeling
> to user_home_t.
>
> # semanage fcontext -a -t user_home_t '/data(/.*)?'
> # restorecon -R -v /data
>
> This would allow all confined domains that have access to the home
> directory access to these files. If you want to give access to apache,
> you might need to assign a different context.
The situation is I have a partition on all my servers called /archive which
survives re-installs.
This contains several directories for eg.
/archive/extra-software for extra software to be installed on the server
after a re-install
/archive/gpg-keys the gpg-keys to be installed
/archive/server-config-script A script to be run after an install to
configure the server
Now this script needs to be able to write to /archive to log what it did.
So I was wondering if there was a context which should be used for this type
of situation. I suppose I could label it as a home directory.
Thanks,
Tony
--
Dept. of Comp. Sci.
University of Limerick.
More information about the fedora-selinux-list
mailing list