Re: selinux: security context of the logical volumes of the LVM

Thu, 11 Dec 2008 12:05:29 -0800 

On Thu, Dec 11, 2008 at 02:58:07PM -0500, Michael DeHaan wrote:
> Anton Arapov wrote:
>> Oh, well...
>>
>>   It turns out that just to do 'chcon -t context /dev/mapper/volume'
>> is not enough, the security context will be reset to default one at
>> the next reboot.
>>   To make it permanent we need to use:
>>    # semanage fcontext -a -t virt_image_t /dev/mapper/volume
>>
>>   But, at the moment it is impossible to put it to the sub_process.call()
>> just because the execution of semanage tool will be prohibited be
>> SELinux rules. The script, that executes semanage should have the
>> appropriate context='semanage_t' as well... Futhermore, because of
>> implementation, selinux wants this context on %HOME%/.koan and/or
>> %HOME%/.koan/koan.log that means crap,....
>>
>>   Ohh .... does this ring the bell to anybody? Will try to invent
>> something ...
>>
>>   But, anyway, we must to let users of selinux systems know, that
>> making the context to LVM partition is necessary, by semanage tool.
>>
>> -- Anton
>>
>>   
> What OS are you running on? The SELinux policy rules did not used to be  
> so strict.
Stock F10. :)

> Can't koan just remain unconfined?
I'd like to ... 

// just a cut from audit.log:

type=AVC msg=audit(1229025747.953:199): avc:  denied  { append } for  pid=6333 
comm="semanage" path="/root/.koan/koan.log" dev=dm-0 ino=6171 
scontext=unconfined_u:unconfined_r:semanage_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

type=AVC msg=audit(1229025747.953:199): avc:  denied  { read write } for  
pid=6333 comm="semanage" path="socket:[46575]" dev=sockfs ino=46575 
scontext=unconfined_u:unconfined_r:semanage_t:s0 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1229025747.953:199): arch=c000003e syscall=59 
success=yes exit=0 a0=1e84a00 a1=1e84810 a2=1e82ee0 a3=386616da70 items=0 
ppid=6312 pid=6333 auid=675 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts3 ses=1 comm="semanage" exe="/usr/bin/python" 
subj=unconfined_u:unconfined_r:semanage_t:s0 key=(null)
// ENDofCUT

> --Michael
>

-- 
-Anton

_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler

Reply via email to