Bug 403891
| Summary: | Links to configuration files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <bugzilla> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-30 13:38:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can add your own rules using policy modules. The easiest thing to do it use audit2allow to generate custom policy packages and then install them. # grep cupsd /var/log/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp BTY Questions like this should be asked on the Fedora-Selinux Mailling list. |
This is probably more of a question than a bug... In the past I have often used links to /etc/ configuration files to allow for multiple different configurations. This worked fine in FC6 except for a few /etc files that were not allowed to be links (such as /etc/aliases or /etc/passwd). In F8, using links for some configuration files (e.g. /etc/ntp.conf, /etc/cups/cupsd.conf, /etc/samba/smb.conf, /etc/samba/smbusers, /etc/cups/cupsd.conf, /etc/cups/printers.conf) generates selinux errors. For example: type=AVC msg=audit(1196113851.391:14): avc: denied { read } for pid=2436 comm="cupsd" name="cupsd.conf.temp" dev=sda7 ino=1102943 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=lnk_file I understand why selinux might want to avoid links but is there any good way for me to selectively override this rule for some config files without opening the hole wide open?