SCIENTIFIC-LINUX-USERS Archives

December 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ddclient vs selinux
From:
jdow <[log in to unmask]>
Reply To:
jdow <[log in to unmask]>
Date:
Mon, 16 Dec 2013 04:55:25 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (91 lines) 
On 2013/12/16 04:37, David Sommerseth wrote:
> On 16. des. 2013 12:52, jdow wrote:
>> On 2013/12/16 02:48, David Sommerseth wrote:
>>> On 15. des. 2013 03:13, jdow wrote:
>>>> On 2013/12/14 18:05, S.Tindall wrote:
>>>>> On Sat, 2013-12-14 at 17:36 -0800, jdow wrote:
>>>>>> I kinda wondered if somebody here had an idea.
>>>>>>
>>>>>> Ah well....
>>>>>> {o.o}
>>>>>
>>>>> I would start with:
>>>>>
>>>>>     # restorecon -vr /etc/ddclient*
>>>>>     # restorecon -vr /var/cache/ddclient
>>>>>
>>>>> and then retest in permissive mode.
>>>>>
>>>>>     # setenforce 0
>>>>>
>>>>> Steve
>>>>>
>>>>
>>>> More or less been there done that.
>>>>
>>>> "restorecon -r /var" took a bit longer, and fixed one other unrelated
>>>> file. But the basic problem persisted.
>>>
>>> Most likely the EPEL package does not include a proper file context for
>>> the /var/cache/ddclient directory.
>>>
>>> As a quick-fix, which I believe should be fairly safe, you can add the
>>> dhcpc_t security context to that directory.  Just run as root:
>>>
>>>      # semanage fcontext -a -t dhcpc_t '/var/cahce/ddclient(/.*)?'
>>>
>>> Then you can try the restorecon command again and see if it helps.
>>>
>>>
>>> --
>>> kind regards,
>>>
>>> David Sommerseth
>>
>> I think I'll wait a little bit pending a reply from the SELinux guru. It
>> looks like one of those hard to undo things that makes going forward
>> cleanly very awkward.
>
> To undo that command above ... replace -a with -d .... really, SELinux
> isn't that hard or complicated ;-)   'semanage fcontext' is basically
> comparable to 'chown' - just for SELinux instead.
>
> Of course, the harder way to do this is to implement a separate SELinux
> type for ddclient, and set up the proper accesses the ddclient program
> needs.  That requires far more skills.  I see that ddclient does have
> such a policy ready in Fedora 19 (just checked the source package for
> selinux-policy).  But I doubt that policy will get into EL6 as part of
> the base policy, also because ddclient is "just" an EPEL package.
>
> If you pick out the ddclient.{te,fc,if} files from the contrib SELinux
> reference policy used in newer Fedoras, you might be lucky to build that
> as a separate SELinux module (you need the selinux-policy-devel package
> installed).  But that does require a bit more skills, and it might also
> require some backporting too.  From a quick glance at the policy, it
> isn't too complicated.  But it uses macros heavily, which I'd suspect
> would be the biggest hurdle - as many of them might be from newer
> reference policies than what is shipped in EL6.  Anyhow, if you're able
> to build this as a SELinux module, it's 'semodule -i ddclient.pp' and to
> unload it (back to how it was before) you use 'semodule -r ddclient'.
>
>
> --
> kind regards,
>
> David Sommerseth

Were I about 40 years younger I'd be pushing to learn that stuff. But I'm
old enough and deep enough into a different field getting prepackaged
stuff is well worth it.

My passion at the moment is Software Defined Radios. They complete a
circle. I started out designing radio communications equipment,
sometimes for satellites. I moved into software. Then I am moving back
to the merger of the two fields. SDRs are fully complex enough to keep
my brain going these days.

Thanks for the additional information. I'll give a try tomorrow. (It is
bed time by a somewhat insomniac's definition of bed time.)

{^_-}   Joanne

ATOM RSS1 RSS2