FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-27-2008, 12:19 PM
Paul Howarth
 
Default /tmp/lost+found on F9

Being an old-fashioned sort of guy, I always create a separate
partition (well, logical volume these days) for /tmp and various other
top-level directories. Hence I have a directory /tmp/lost+found and
every day I get an email from cron like this:

Subject: Cron <root@goalkeeper> run-parts /etc/cron.daily
Date: Tue, 27 May 2008 04:17:12 +0100

/etc/cron.daily/tmpwatch:

error: failed to lstat /tmp/lost+found: Permission denied

The following policy fixes this:

policy_module(localmisc, 0.0.1)

require {
type tmpreaper_t;
}

# Allow tmpwatch to stat /tmp/lost+found
files_getattr_lost_found_dirs(tmpreaper_t)

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-28-2008, 07:00 PM
Daniel J Walsh
 
Default /tmp/lost+found on F9

Paul Howarth wrote:
> Being an old-fashioned sort of guy, I always create a separate
> partition (well, logical volume these days) for /tmp and various other
> top-level directories. Hence I have a directory /tmp/lost+found and
> every day I get an email from cron like this:
>
> Subject: Cron <root@goalkeeper> run-parts /etc/cron.daily
> Date: Tue, 27 May 2008 04:17:12 +0100
>
> /etc/cron.daily/tmpwatch:
>
> error: failed to lstat /tmp/lost+found: Permission denied
>
> The following policy fixes this:
>
> policy_module(localmisc, 0.0.1)
>
> require {
> type tmpreaper_t;
> }
>
> # Allow tmpwatch to stat /tmp/lost+found
> files_getattr_lost_found_dirs(tmpreaper_t)
>
> Paul.
That is funny because the policy has

files_dontaudit_getattr_lost_found_dirs(tmpreaper_ t)

So in order to get rid of the error, we need to allow it, which seems
reasonable.

>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-28-2008, 10:02 PM
Paul Howarth
 
Default /tmp/lost+found on F9

On Wed, 28 May 2008 15:00:21 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> Paul Howarth wrote:
> > Being an old-fashioned sort of guy, I always create a separate
> > partition (well, logical volume these days) for /tmp and various
> > other top-level directories. Hence I have a
> > directory /tmp/lost+found and every day I get an email from cron
> > like this:
> >
> > Subject: Cron <root@goalkeeper> run-parts /etc/cron.daily
> > Date: Tue, 27 May 2008 04:17:12 +0100
> >
> > /etc/cron.daily/tmpwatch:
> >
> > error: failed to lstat /tmp/lost+found: Permission denied
> >
> > The following policy fixes this:
> >
> > policy_module(localmisc, 0.0.1)
> >
> > require {
> > type tmpreaper_t;
> > }
> >
> > # Allow tmpwatch to stat /tmp/lost+found
> > files_getattr_lost_found_dirs(tmpreaper_t)
> >
> > Paul.
> That is funny because the policy has
>
> files_dontaudit_getattr_lost_found_dirs(tmpreaper_ t)
>
> So in order to get rid of the error, we need to allow it, which seems
> reasonable.

Yes, the dontaudit made it that much harder to figure out what was
going on but "semodule -BD" came to the rescue there.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org