On Wed, 15 Feb 2012 18:51:37 -0500 Kevin Coffman <[email protected]> wrote:
> Everything worked while strace'ing the bosserver. I changed SELinux > to "Permissive" mode and everything now works while running from the > init script. > > Any SELinux experts out there that can point me at how to fix things > up so SELinux is happy? (I'll run in permissive mode for now!) Well, it depends on what you want to do. If you want to actually run OpenAFS under the security of SELinux, you or someone needs to create the policy and assign appropriate contexts to everything. I don't think anyone's created SELinux policies for OpenAFS server daemons, so if you just want the rest of the system adhering to SELinux, but not the OpenAFS servers, you can run bosserver in an unconfined context. It's been quite a while since I've done anything with SELinux but I _think_ something like... chcon -h root:object_r:unconfined_exec_t /usr/afs/bin/bosserver will make bosserver run without SELinux restrictions. 'ls -lZ' can show you the context of various files (like those in /usr/afs/local), and 'ps -efZ' can say what context bosserver is running with. That is, if that works, it just works temporarily until the files are relabeled or I assume if you reinstall/upgrade the binary. I assume we're supposed to package context/policy information in the RPMs in some fashion. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
