Bug 403891 - Links to configuration files
Links to configuration files
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-11-29 00:16 EST by Need Real Name
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-30 08:38:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-11-29 00:16:16 EST
This is probably more of a question than a bug...

In the past I have often used links to /etc/ configuration files to allow for
multiple different configurations. This worked fine in FC6 except for a few /etc
files that were not allowed to be links (such as /etc/aliases or /etc/passwd).

In F8, using links for some configuration files (e.g. /etc/ntp.conf,
/etc/cups/cupsd.conf, /etc/samba/smb.conf, /etc/samba/smbusers,
/etc/cups/cupsd.conf, /etc/cups/printers.conf) generates selinux errors.

For example:
type=AVC msg=audit(1196113851.391:14): avc:  denied  { read } for  pid=2436
comm="cupsd" name="cupsd.conf.temp" dev=sda7 ino=1102943
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=lnk_file

I understand why selinux might want to avoid links but is there any good way for
me to selectively override this rule for some config files without opening the
hole wide open?
Comment 1 Daniel Walsh 2007-11-30 08:38:00 EST
You can add your own rules using policy modules.  The easiest thing to do it use
audit2allow to generate custom policy packages and then install them.

# grep cupsd /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp
Comment 2 Daniel Walsh 2007-11-30 08:38:32 EST
BTY Questions like this should be asked on the Fedora-Selinux Mailling list.

Note You need to log in before you can comment on or make changes to this bug.