On 2013/12/16 04:37, David Sommerseth wrote:
On 16. des. 2013 12:52, jdow wrote:
On 2013/12/16 02:48, David Sommerseth wrote:
On 15. des. 2013 03:13, jdow wrote:
On 2013/12/14 18:05, S.Tindall wrote:
On Sat, 2013-12-14 at 17:36 -0800, jdow wrote:
I kinda wondered if somebody here had an idea.
Ah well....
{o.o}
I would start with:
# restorecon -vr /etc/ddclient*
# restorecon -vr /var/cache/ddclient
and then retest in permissive mode.
# setenforce 0
Steve
More or less been there done that.
"restorecon -r /var" took a bit longer, and fixed one other unrelated
file. But the basic problem persisted.
Most likely the EPEL package does not include a proper file context for
the /var/cache/ddclient directory.
As a quick-fix, which I believe should be fairly safe, you can add the
dhcpc_t security context to that directory. Just run as root:
# semanage fcontext -a -t dhcpc_t '/var/cahce/ddclient(/.*)?'
Then you can try the restorecon command again and see if it helps.
--
kind regards,
David Sommerseth
I think I'll wait a little bit pending a reply from the SELinux guru. It
looks like one of those hard to undo things that makes going forward
cleanly very awkward.
To undo that command above ... replace -a with -d .... really, SELinux
isn't that hard or complicated ;-) 'semanage fcontext' is basically
comparable to 'chown' - just for SELinux instead.
Of course, the harder way to do this is to implement a separate SELinux
type for ddclient, and set up the proper accesses the ddclient program
needs. That requires far more skills. I see that ddclient does have
such a policy ready in Fedora 19 (just checked the source package for
selinux-policy). But I doubt that policy will get into EL6 as part of
the base policy, also because ddclient is "just" an EPEL package.
If you pick out the ddclient.{te,fc,if} files from the contrib SELinux
reference policy used in newer Fedoras, you might be lucky to build that
as a separate SELinux module (you need the selinux-policy-devel package
installed). But that does require a bit more skills, and it might also
require some backporting too. From a quick glance at the policy, it
isn't too complicated. But it uses macros heavily, which I'd suspect
would be the biggest hurdle - as many of them might be from newer
reference policies than what is shipped in EL6. Anyhow, if you're able
to build this as a SELinux module, it's 'semodule -i ddclient.pp' and to
unload it (back to how it was before) you use 'semodule -r ddclient'.
--
kind regards,
David Sommerseth
Were I about 40 years younger I'd be pushing to learn that stuff. But I'm
old enough and deep enough into a different field getting prepackaged
stuff is well worth it.
My passion at the moment is Software Defined Radios. They complete a
circle. I started out designing radio communications equipment,
sometimes for satellites. I moved into software. Then I am moving back
to the merger of the two fields. SDRs are fully complex enough to keep
my brain going these days.
Thanks for the additional information. I'll give a try tomorrow. (It is
bed time by a somewhat insomniac's definition of bed time.)
{^_-} Joanne
