On 16. des. 2013 12:52, jdow wrote:
> On 2013/12/16 02:48, David Sommerseth wrote:
>> On 15. des. 2013 03:13, jdow wrote:
>>> On 2013/12/14 18:05, S.Tindall wrote:
>>>> On Sat, 2013-12-14 at 17:36 -0800, jdow wrote:
>>>>> I kinda wondered if somebody here had an idea.
>>>>>
>>>>> Ah well....
>>>>> {o.o}
>>>>
>>>> I would start with:
>>>>
>>>> # restorecon -vr /etc/ddclient*
>>>> # restorecon -vr /var/cache/ddclient
>>>>
>>>> and then retest in permissive mode.
>>>>
>>>> # setenforce 0
>>>>
>>>> Steve
>>>>
>>>
>>> More or less been there done that.
>>>
>>> "restorecon -r /var" took a bit longer, and fixed one other unrelated
>>> file. But the basic problem persisted.
>>
>> Most likely the EPEL package does not include a proper file context for
>> the /var/cache/ddclient directory.
>>
>> As a quick-fix, which I believe should be fairly safe, you can add the
>> dhcpc_t security context to that directory. Just run as root:
>>
>> # semanage fcontext -a -t dhcpc_t '/var/cahce/ddclient(/.*)?'
>>
>> Then you can try the restorecon command again and see if it helps.
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>
> I think I'll wait a little bit pending a reply from the SELinux guru. It
> looks like one of those hard to undo things that makes going forward
> cleanly very awkward.
To undo that command above ... replace -a with -d .... really, SELinux
isn't that hard or complicated ;-) 'semanage fcontext' is basically
comparable to 'chown' - just for SELinux instead.
Of course, the harder way to do this is to implement a separate SELinux
type for ddclient, and set up the proper accesses the ddclient program
needs. That requires far more skills. I see that ddclient does have
such a policy ready in Fedora 19 (just checked the source package for
selinux-policy). But I doubt that policy will get into EL6 as part of
the base policy, also because ddclient is "just" an EPEL package.
If you pick out the ddclient.{te,fc,if} files from the contrib SELinux
reference policy used in newer Fedoras, you might be lucky to build that
as a separate SELinux module (you need the selinux-policy-devel package
installed). But that does require a bit more skills, and it might also
require some backporting too. From a quick glance at the policy, it
isn't too complicated. But it uses macros heavily, which I'd suspect
would be the biggest hurdle - as many of them might be from newer
reference policies than what is shipped in EL6. Anyhow, if you're able
to build this as a SELinux module, it's 'semodule -i ddclient.pp' and to
unload it (back to how it was before) you use 'semodule -r ddclient'.
--
kind regards,
David Sommerseth
|