Description of problem: I have scripts in /usr/local/sbin/ and the have labels like root:object_r:bin_t:SystemLow. If I will put a symlink pointin to such script into, say, /etc/cron.daily or /etc/cron.hourly than that symlink ends up with root:object_r:etc_t:SystemLow while other executables there have labels system_u:object_r:bin_t:SystemLow. The net effect is that later I see in /var/log/cron Could not set exec or key create context to system_u:system_r:system_cronjob_t:SystemLow:SystemLow-SystemHigh for user If I make a copy of hardlink files then lablels end up as system_u:object_r:bin_t:SystemLow, i.e. as anything else. Version-Release number of selected component (if applicable): selinux-policy-3.6.32-46.fc12 Additional info: This a new behaviour as I was hit by it after upgrading Fedora 10 to Fedora 12 which promptly broke my existing scripts even if I was running previously with enforcing selinux too.
OTOH see bug 426428. Boggle!
I am changing the labeling so all files in that directory will be bin_t, not just regular files. Current labeling is /etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) Which says label all files as bin_t New labeling says /etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) Which should set all of the labels to bin_t. You can set this your self doing # semanage fcontext -a -t bin_t '/etc/cron.daily(/.*)?' # restorecon -R -v /etc/cron.daily Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.