How to label top level non default dirs

Tony Molloy tony.molloy at ul.ie
Tue Apr 21 13:43:42 UTC 2009 

On Tuesday 21 April 2009 13:25:52 you wrote:
> On 04/21/2009 07:31 AM, Tony Molloy wrote:
> > Hi,
> >
> > If I have a top level non default directory say for argument called
> > /data. This directory contains various scripts and text files which
> > should be available to everyone. Now when I do an install it gets the
> > default selinux context file_t. But this generates lots of AVC's if I set
> > selinux to enforcing. What should I label this directory as.
> >
> > Regards,
> >
> > Tony
>
> You should never get a file/directory labeled file_t.  These should only
> be able to be created on machines without SELInux.  file_t means no
> label at all.  If you run restorecon on /data it will get assigned
> default_t.
>
> restorecon -R -v /data

These were old partitions left over from previous installs. The restorecon 
changed them to default_t. So that worked.
>
> This label should be available to the unconfined user and not available
> to any confined domain.  That will probably fix most of your avc's  If
> you wanted to label it like a home directory you could set it's labeling
> to user_home_t.
>
> # semanage fcontext -a -t user_home_t '/data(/.*)?'
> # restorecon -R -v /data
>
> This would allow all confined domains that have access to the home
> directory access to these files.   If you want to give access to apache,
> you might need to assign a different context.

The situation is I have a partition on all my servers called /archive which 
survives re-installs.
 
This contains several directories for eg.
  /archive/extra-software	for extra software to be installed on the server
                                                after a re-install	
  /archive/gpg-keys                 the gpg-keys to be installed 
  /archive/server-config-script  A script to be run after an install to
                                               configure the server

Now this script needs to be able to write to /archive to log what it did.

So I was wondering if there was a context which should be used for this type 
of situation. I suppose I could label it as a home directory.

Thanks,

Tony

-- 

Dept. of Comp. Sci.
University of Limerick.

More information about the fedora-selinux-list mailing list