[Spacewalk-list] SELinux contexts for distro trees
Jan Pazdziora
jpazdziora at redhat.com
Thu Oct 13 11:52:18 UTC 2011
On Mon, Oct 10, 2011 at 11:26:01AM +0800, Colin Coe wrote:
>
> Can anyone advise what the SELinux contexts should be if I've copied
> the distro ISO contents to /var/distro-trees/<label>?
> ---
> type=AVC msg=audit(1318216860.448:70920): avc: denied { search } for
> pid=19249 comm="cobblerd" name="/" dev=dm-6 ino=2
> scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> type=AVC msg=audit(1318216920.466:70921): avc: denied { search } for
> pid=19272 comm="cobblerd" name="/" dev=dm-6 ino=2
> scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> type=AVC msg=audit(1318216920.466:70922): avc: denied { search } for
> pid=19272 comm="cobblerd" name="/" dev=dm-6 ino=2
> scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> ---
>
> I'd rather not change to permissive...
If this is for creating kickstart distribution, it would be
for example spacewalk_data_t, or (probably) anything that
sesearch --allow -s cobblerd_t -p search
would show.
Cobbler will then copy the vmlinuz and stuff to /tftpboot and give
it tftpdir_t, and it will also put it as symlinks to
/var/www/cobbler/images and give it httpd_sys_content_t.
Here's a problem thou -- it used to be not trivial to force cobblerd
to create the content in /var/www/cobbler/images as symlinks and not
as hardlinks, other than having those on different filesystems. I'm
not even sure if that's something which was already addressed in EPEL.
--
Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat
More information about the Spacewalk-list
mailing list