64

Chapter 5. Controlling and Maintaining SELinux

5.2.4. Grant Access to a Directory or a Tree

Just as with regular Linux DAC permissions, a targeted daemon must have SELinux permissions to be

able to descend the directory tree from the root. This does not mean that a directory and its contents

need to have the same type. There are many types, such as

root_t

,

tmp_t

, and

usr_t

that grant read

access for a directory. These are good types to use if you have a directory with no secret information

you want to be widely readable. It might also make a good directory type for a parent directory of

more secured directories with different contexts.

If you are working with an

avc: denied

message, there are some common problems that arise with

directory traversal. For example, many programs do an equivalent command to

ls  l /

that is not

necessary to their operation but generates a denial message in the logs. For this you need to create a

dontaudit

rule in your

local.te

file. Read more about this in Chapter 8 Customizing and Writing

Policy.

When you are interpreting the AVC denial message, you might get misled by the

path=/

component.

This path is not related to the label for the root file system,

/

. It is actually relative to the root of the

file system on the device node. For example, if your

/var/

directory is located on an LVM (Logical

Volume Management

1

) device,

/dev/dm 0

, the device node is identified in the message as

dev=dm 0

.

When you see

path=/

in this example, that is the top level of the LVM device

dm 0

, not neccesarily

the same as the root file system designation

/

.

5.2.5. Load a Policy

There are two routes to loading a policy. One is to install a binary policy from a package or copy a

custom binary policy into $SELINUX_POLICY/. The other is to use the policy source and load eithr

the supported or a custom policy. For information on this second option, read Chapter 7 Compiling

SELinux Policy and Chapter 8 Customizing and Writing Policy.

Note

It is not common to install the policy sources unless you need to work with them directly. On a

normal production server, you are not likely to have policy source installed even if you are running a

customized policy. You develop that policy on a separate machine that has the source installed, and

deploy it as a binary policy to production machines.

You can upgrade the package using

up2date

or

rpm

. If you are managing your own custom policy,

either package it or copy the binary policy file

policy.XY

to the target machine.

However, if you have the policy source package installed and you have loaded the policy from source,

such as running

make load

or

make reload

in the

$SELINUX_SRC/

directory, then installing bi 

nary policy packages is slightly more complicated.

The install scripts packaged with the policy check to see if you have the policy source

package installed and if you loaded policy from source. It does this by comparing the file at

$SELINUX_POLICY/policy.XY

with the binary policy from the package. If they are different, the

new binary policy is created with an

.rpmnew

file extension. This way you are protected from

having your customizations overwritten by a policy upgrade.

If you want to use the binary policy, move the replacement over the older version:

rpm  Uvh /tmp/selinux policy targeted *

Preparing...

########################## [100%]

1:selinux policy targeted########################## [ 50%]

1. LVM is the grouping of physical storage into virtual pools that are partitioned into logical volumes.