First Last Prev Next    This bug is not in your last search results.
Bug 403891 - Links to configuration files
Links to configuration files
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-29 00:16 EST by Need Real Name
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-30 08:38:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Need Real Name 2007-11-29 00:16:16 EST 
This is probably more of a question than a bug...

In the past I have often used links to /etc/ configuration files to allow for
multiple different configurations. This worked fine in FC6 except for a few /etc
files that were not allowed to be links (such as /etc/aliases or /etc/passwd).

In F8, using links for some configuration files (e.g. /etc/ntp.conf,
/etc/cups/cupsd.conf, /etc/samba/smb.conf, /etc/samba/smbusers,
/etc/cups/cupsd.conf, /etc/cups/printers.conf) generates selinux errors.

For example:
type=AVC msg=audit(1196113851.391:14): avc:  denied  { read } for  pid=2436
comm="cupsd" name="cupsd.conf.temp" dev=sda7 ino=1102943
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=lnk_file

I understand why selinux might want to avoid links but is there any good way for
me to selectively override this rule for some config files without opening the
hole wide open?
Comment 1 Daniel Walsh 2007-11-30 08:38:00 EST 
You can add your own rules using policy modules.  The easiest thing to do it use
audit2allow to generate custom policy packages and then install them.

# grep cupsd /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp
Comment 2 Daniel Walsh 2007-11-30 08:38:32 EST 
BTY Questions like this should be asked on the Fedora-Selinux Mailling list.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.