[Spacewalk-list] SELinux contexts for distro trees

Colin Coe colin.coe at gmail.com
Fri Oct 14 05:49:51 UTC 2011 

On Thu, Oct 13, 2011 at 7:52 PM, Jan Pazdziora <jpazdziora at redhat.com> wrote:
> On Mon, Oct 10, 2011 at 11:26:01AM +0800, Colin Coe wrote:
>>
>> Can anyone advise what the SELinux contexts should be if I've copied
>> the distro ISO contents to /var/distro-trees/<label>?
>> ---
>> type=AVC msg=audit(1318216860.448:70920): avc:  denied  { search } for
>>  pid=19249 comm="cobblerd" name="/" dev=dm-6 ino=2
>> scontext=system_u:system_r:cobblerd_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> type=AVC msg=audit(1318216920.466:70921): avc:  denied  { search } for
>>  pid=19272 comm="cobblerd" name="/" dev=dm-6 ino=2
>> scontext=system_u:system_r:cobblerd_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> type=AVC msg=audit(1318216920.466:70922): avc:  denied  { search } for
>>  pid=19272 comm="cobblerd" name="/" dev=dm-6 ino=2
>> scontext=system_u:system_r:cobblerd_t:s0
>> tcontext=system_u:object_r:file_t:s0 tclass=dir
>> ---
>>
>> I'd rather not change to permissive...
>
> If this is for creating kickstart distribution, it would be
> for example spacewalk_data_t, or (probably) anything that
>
>        sesearch --allow -s cobblerd_t -p search
>
> would show.
>
> Cobbler will then copy the vmlinuz and stuff to /tftpboot and give
> it tftpdir_t, and it will also put it as symlinks to
> /var/www/cobbler/images and give it httpd_sys_content_t.
>
> Here's a problem thou -- it used to be not trivial to force cobblerd
> to create the content in /var/www/cobbler/images as symlinks and not
> as hardlinks, other than having those on different filesystems. I'm
> not even sure if that's something which was already addressed in EPEL.
>
> --
> Jan Pazdziora
> Principal Software Engineer, Satellite Engineering, Red Hat
>

Hi Jan

I'm doing things a little differently.  I don't want to mount the ISOs
so what I've done is copied the ISOs (minus the .rpm files) in
/var/distro-trees/<label>/.  Thats why SELinux is complaining.

How should I set the contexts to resolve this?

Thanks

CC

-- 
RHCE#805007969328369

More information about the Spacewalk-list mailing list