Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual page 78

64
5.2.4. Grant Access to a Directory or a Tree
Just as with regular Linux DAC permissions, a targeted daemon must have SELinux permissions to be
able to descend the directory tree from the root. This does not mean that a directory and its contents
need to have the same type. There are many types, such as
access for a directory. These are good types to use if you have a directory with no secret information
you want to be widely readable. It might also make a good directory type for a parent directory of
more secured directories with different contexts.
If you are working with an
directory traversal. For example, many programs do an equivalent command to
necessary to their operation but generates a denial message in the logs. For this you need to create a
rule in your
dontaudit
Policy.
When you are interpreting the AVC denial message, you might get misled by the
This path is not related to the label for the root file system,
file system on the device node. For example, if your
Volume Management
When you see
path=/
the same as the root file system designation
5.2.5. Load a Policy
There are two routes to loading a policy. One is to install a binary policy from a package or copy a
custom binary policy into $SELINUX_POLICY/. The other is to use the policy source and load eithr
the supported or a custom policy. For information on this second option, read Chapter 7 Compiling
SELinux Policy and Chapter 8 Customizing and Writing Policy.
Note
It is not common to install the policy sources unless you need to work with them directly. On a
normal production server, you are not likely to have policy source installed even if you are running a
customized policy. You develop that policy on a separate machine that has the source installed, and
deploy it as a binary policy to production machines.
You can upgrade the package using
either package it or copy the binary policy file
However, if you have the policy source package installed and you have loaded the policy from source,
such as running
make load
nary policy packages is slightly more complicated.
The install scripts packaged with the policy check to see if you have the policy source
package installed and if you loaded policy from source. It does this by comparing the file at
$SELINUX_POLICY/policy.XY
new binary policy is created with an
having your customizations overwritten by a policy upgrade.
If you want to use the binary policy, move the replacement over the older version:
rpm -Uvh /tmp/selinux-policy-targeted-*
Preparing...
1:selinux-policy-targeted########################## [ 50%]
1. LVM is the grouping of physical storage into virtual pools that are partitioned into logical volumes.
avc: denied
file. Read more about this in Chapter 8 Customizing and Writing
local.te
1
) device,
/dev/dm-0
in this example, that is the top level of the LVM device
up2date
or
make reload
with the binary policy from the package. If they are different, the
.rpmnew
########################## [100%]
Chapter 5. Controlling and Maintaining SELinux
root_t
message, there are some common problems that arise with
. It is actually relative to the root of the
/
directory is located on an LVM (Logical
/var/
, the device node is identified in the message as
.
/
or . If you are managing your own custom policy,
rpm
to the target machine.
policy.XY
in the
$SELINUX_SRC/
file extension. This way you are protected from
, , and that grant read
tmp_t usr_t
ls -l /
path=/
, not neccesarily
dm-0
directory, then installing bi-
that is not
component.
.
dev=dm-0