Hi,
If I have a top level non default directory say for argument called /data. This directory contains various scripts and text files which should be available to everyone. Now when I do an install it gets the default selinux context file_t. But this generates lots of AVC's if I set selinux to enforcing. What should I label this directory as.
Regards,
Tony
On Tue, 2009-04-21 at 12:31 +0100, Tony Molloy wrote:
Hi,
If I have a top level non default directory say for argument called /data. This directory contains various scripts and text files which should be available to everyone. Now when I do an install it gets the default selinux context file_t. But this generates lots of AVC's if I set selinux to enforcing. What should I label this directory as.
Regards,
Tony
Depends on what you want to use it for. For example you can label it root_t if you want to put in folders that resemble /var or /etc or /home/user etc.
You can also label /data var_t if that it what you will use it for.
Or you can for example label /data user_home_t if you want to store user_content there.
It just depends on how you will use /data.
-/data(root_t)---/user_content(user_home_t) -/var(var_t) -/etc(etc_t) -/custom(some_custom_type_t) - etcetc
for example: if you want to store web content in /data you would label it httpd_sys_content_t (just like /var/www is labeled that type)
On 04/21/2009 07:31 AM, Tony Molloy wrote:
Hi,
If I have a top level non default directory say for argument called /data. This directory contains various scripts and text files which should be available to everyone. Now when I do an install it gets the default selinux context file_t. But this generates lots of AVC's if I set selinux to enforcing. What should I label this directory as.
Regards,
Tony
You should never get a file/directory labeled file_t. These should only be able to be created on machines without SELInux. file_t means no label at all. If you run restorecon on /data it will get assigned default_t.
restorecon -R -v /data
This label should be available to the unconfined user and not available to any confined domain. That will probably fix most of your avc's If you wanted to label it like a home directory you could set it's labeling to user_home_t.
# semanage fcontext -a -t user_home_t '/data(/.*)?' # restorecon -R -v /data
This would allow all confined domains that have access to the home directory access to these files. If you want to give access to apache, you might need to assign a different context.
selinux@lists.fedoraproject.org