On 06/23/2011 12:27 PM, Dominick Grift wrote:
On 06/23/2011 09:21 PM, Daniel B. Thurman wrote:
I am trying to bring kmotion under control of SeLinux, so how can I do it?
- I tried context httpd_exec_t and httpd_t, but neither seems to work, so out of the zillions of options which do I use as these files are
apache and python programs. (See log below):
semanage fcontext -a -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -a -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -d -t httpd_t '/www/kmotion/www/vhosts/kmotion' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin' semanage fcontext -d -t httpd_t '/www/kmotion/www/www/cgi_bin/*'
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" semanage fcontext -a -t httpd_sys_script_exec_t "/www/kmotion/www/www/cgi_bin(/.*)?"
restorecon -R -v -F /www
I think that should do it
Almost worked! I had to add to do:
semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/apache_logs(/.*)?" restorecon -R -v -F /www
And I was able to start httpd running on system reboot. However, while kmotion was running and doing things, I had to add:
semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/image_dbase(/.*)?" semanage fcontext -a -t httpd_sys_content_rw_t "/www/kmotion/www/mutex/www_rc" restorecon -R -v -F /www
But I ran into a tough nut to crack, setroubleshooter was complaining:
+ SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files last_jpeg. + SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files event.
These files are located in: /dev/shm/kmotion_ramdisk areas, so I added:
semanage fcontext -a -t httpd_sys_content_rw_t "/dev/shm/kmotion_ramdisk(/.*)?" restorecon -R -v -F /dev/shm/kmotion_ramdisk/
and yet, the odd-ball here is that all the files in this directory shows context as:
restorecon reset /dev/shm/kmotion_ramdisk/01/last_jpeg context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
restorecon reset /dev/shm/kmotion_ramdisk/events context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:device_t:s0
Look carefully ==> _rw_ <== is put into the wrong position!
I could test this using chcon and the results are the same.
Something is preventing me from properly labelling the files in /dev/shm/kmotion_ramdisk area since _rw_ is put after 'sys' instead of after 'content'!
I tried:
chcon -R -t httpd_sys_content_rw_t /dev/shm/kmotion_ramdisk (_rw_ is in the wrong position)
I also tried to see if I get a different result as if _rw_ would be swapped:
chcon -R -t httpd_sys_rw_content_t /dev/shm/kmotion_ramdisk (_rw_ is still in the wrong position)
How do I fix this?