Bug 403891 - Links to configuration files
Summary: Links to configuration files
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-29 05:16 UTC by Need Real Name
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-11-30 13:38:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Need Real Name 2007-11-29 05:16:16 UTC
This is probably more of a question than a bug...

In the past I have often used links to /etc/ configuration files to allow for
multiple different configurations. This worked fine in FC6 except for a few /etc
files that were not allowed to be links (such as /etc/aliases or /etc/passwd).

In F8, using links for some configuration files (e.g. /etc/ntp.conf,
/etc/cups/cupsd.conf, /etc/samba/smb.conf, /etc/samba/smbusers,
/etc/cups/cupsd.conf, /etc/cups/printers.conf) generates selinux errors.

For example:
type=AVC msg=audit(1196113851.391:14): avc:  denied  { read } for  pid=2436
comm="cupsd" name="cupsd.conf.temp" dev=sda7 ino=1102943
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=lnk_file

I understand why selinux might want to avoid links but is there any good way for
me to selectively override this rule for some config files without opening the
hole wide open?

Comment 1 Daniel Walsh 2007-11-30 13:38:00 UTC
You can add your own rules using policy modules.  The easiest thing to do it use
audit2allow to generate custom policy packages and then install them.

# grep cupsd /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp


Comment 2 Daniel Walsh 2007-11-30 13:38:32 UTC
BTY Questions like this should be asked on the Fedora-Selinux Mailling list.


Note You need to log in before you can comment on or make changes to this bug.