Forum: CFEngine Help Subject: Re: SELinux experience Author: juriskrumins Link to topic: https://cfengine.com/forum/read.php?3,27022,27030#msg-27030
I believe it's not about the policy. Red Hat documentation "Red Hat Enterprise Linux 6 Security-Enhanced Linux" chapter 5.10 Maintaining SELinux Labels explains different scenarios regarding file operations vs. SELinux label management. # ls -Zd web drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 web # touch /web/test # ls -Zd web/test -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 web/test Looks good, at least from SELinux default behavior perspective - inherits context from upper directory. However it depends. Cause when you need different context for "test" file you have to change it and file promise currently lack an ability to set/keep context on file objects (as far as I know from CFEngine reference manual). # cp /etc/group /web/ # ls -Zd web/group -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 web/group # cp -c /etc/group /web/group1 # ls -Z /web/group1 -rw-r--r--. root root system_u:object_r:etc_t:s0 /web/group1 This is ok or not, since it depends. Since cp have options (-c same as --preserve=context) to preserve context ( explicitly set it ) or stay with default SELinux behaviour. # mv /web/test /etc # ls -Z /etc/test -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /etc/test # This is ok or not, since it depends. So I think what is necessary is an ability to set/keep defined context for file type objects in CFEngine, like we do for ACL for example. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
