64
Chapter 5. Controlling and Maintaining SELinux
5.2.4. Grant Access to a Directory or a Tree
Just as with regular Linux DAC permissions, a targeted daemon must have SELinux permissions to be
able to descend the directory tree from the root. This does not mean that a directory and its contents
need to have the same type. There are many types, such as
root_t
,
tmp_t
, and
usr_t
that grant read
access for a directory. These are good types to use if you have a directory with no secret information
you want to be widely readable. It might also make a good directory type for a parent directory of
more secured directories with different contexts.
If you are working with an
avc: denied
message, there are some common problems that arise with
directory traversal. For example, many programs do an equivalent command to
ls  l /
that is not
necessary to their operation but generates a denial message in the logs. For this you need to create a
dontaudit
rule in your
local.te
file. Read more about this in Chapter 8 Customizing and Writing
Policy.
When you are interpreting the AVC denial message, you might get misled by the
path=/
component.
This path is not related to the label for the root file system,
/
. It is actually relative to the root of the
file system on the device node. For example, if your
/var/
directory is located on an LVM (Logical
Volume Management
1
) device,
/dev/dm 0
, the device node is identified in the message as
dev=dm 0
.
When you see
path=/
in this example, that is the top level of the LVM device
dm 0
, not neccesarily
the same as the root file system designation
/
.
5.2.5. Load a Policy
There are two routes to loading a policy. One is to install a binary policy from a package or copy a
custom binary policy into $SELINUX_POLICY/. The other is to use the policy source and load eithr
the supported or a custom policy. For information on this second option, read Chapter 7 Compiling
SELinux Policy and Chapter 8 Customizing and Writing Policy.
Note
It is not common to install the policy sources unless you need to work with them directly. On a
normal production server, you are not likely to have policy source installed even if you are running a
customized policy. You develop that policy on a separate machine that has the source installed, and
deploy it as a binary policy to production machines.
You can upgrade the package using
up2date
or
rpm
. If you are managing your own custom policy,
either package it or copy the binary policy file
policy.XY
to the target machine.
However, if you have the policy source package installed and you have loaded the policy from source,
such as running
make load
or
make reload
in the
$SELINUX_SRC/
directory, then installing bi 
nary policy packages is slightly more complicated.
The install scripts packaged with the policy check to see if you have the policy source
package installed and if you loaded policy from source. It does this by comparing the file at
$SELINUX_POLICY/policy.XY
with the binary policy from the package. If they are different, the
new binary policy is created with an
.rpmnew
file extension. This way you are protected from
having your customizations overwritten by a policy upgrade.
If you want to use the binary policy, move the replacement over the older version:
rpm  Uvh /tmp/selinux policy targeted *
Preparing...
########################## [100%]
1:selinux policy targeted########################## [ 50%]
1. LVM is the grouping of physical storage into virtual pools that are partitioned into logical volumes.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved