SCIENTIFIC-LINUX-USERS Archives

December 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ddclient vs selinux
From:
David Sommerseth <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Mon, 16 Dec 2013 13:37:19 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (75 lines) 
On 16. des. 2013 12:52, jdow wrote:
> On 2013/12/16 02:48, David Sommerseth wrote:
>> On 15. des. 2013 03:13, jdow wrote:
>>> On 2013/12/14 18:05, S.Tindall wrote:
>>>> On Sat, 2013-12-14 at 17:36 -0800, jdow wrote:
>>>>> I kinda wondered if somebody here had an idea.
>>>>>
>>>>> Ah well....
>>>>> {o.o}
>>>>
>>>> I would start with:
>>>>
>>>>    # restorecon -vr /etc/ddclient*
>>>>    # restorecon -vr /var/cache/ddclient
>>>>
>>>> and then retest in permissive mode.
>>>>
>>>>    # setenforce 0
>>>>
>>>> Steve
>>>>
>>>
>>> More or less been there done that.
>>>
>>> "restorecon -r /var" took a bit longer, and fixed one other unrelated
>>> file. But the basic problem persisted.
>>
>> Most likely the EPEL package does not include a proper file context for
>> the /var/cache/ddclient directory.
>>
>> As a quick-fix, which I believe should be fairly safe, you can add the
>> dhcpc_t security context to that directory.  Just run as root:
>>
>>     # semanage fcontext -a -t dhcpc_t '/var/cahce/ddclient(/.*)?'
>>
>> Then you can try the restorecon command again and see if it helps.
>>
>>
>> -- 
>> kind regards,
>>
>> David Sommerseth
> 
> I think I'll wait a little bit pending a reply from the SELinux guru. It
> looks like one of those hard to undo things that makes going forward
> cleanly very awkward.

To undo that command above ... replace -a with -d .... really, SELinux
isn't that hard or complicated ;-)   'semanage fcontext' is basically
comparable to 'chown' - just for SELinux instead.

Of course, the harder way to do this is to implement a separate SELinux
type for ddclient, and set up the proper accesses the ddclient program
needs.  That requires far more skills.  I see that ddclient does have
such a policy ready in Fedora 19 (just checked the source package for
selinux-policy).  But I doubt that policy will get into EL6 as part of
the base policy, also because ddclient is "just" an EPEL package.

If you pick out the ddclient.{te,fc,if} files from the contrib SELinux
reference policy used in newer Fedoras, you might be lucky to build that
as a separate SELinux module (you need the selinux-policy-devel package
installed).  But that does require a bit more skills, and it might also
require some backporting too.  From a quick glance at the policy, it
isn't too complicated.  But it uses macros heavily, which I'd suspect
would be the biggest hurdle - as many of them might be from newer
reference policies than what is shipped in EL6.  Anyhow, if you're able
to build this as a SELinux module, it's 'semodule -i ddclient.pp' and to
unload it (back to how it was before) you use 'semodule -r ddclient'.


--
kind regards,

David Sommerseth

ATOM RSS1 RSS2