On 23/05/13 10:46, Tina Friedrich wrote:
> I agree it would really be good if this could be fixed. SElinux is quite
> common these days, or not? A newly re-designed management system that
> you (still) have to work around because it (still) breaks your system
> due to disregarding a valid and valuable security mechanism really makes
> me scratch my head a bit :) Actually, cfengine 2 handled this better,
> come to think of it; at least it only messed up security context on
> creating a file, not on each edit.
I'm not sure how CFEngine edits files but I assume, because the security
context is getting messed up, that it's moving the existing file and
creating a new file in its place. We can talk about solutions that don't
mess up the security context in the first place or ensures the context
of the original file is re-applied to the new file but the correct
solution is to be able to promise the security context of the file just
the same way as you promise the permissions. Then it won't matter if the
edit messes the context because CFEngine will ensure it is fixed. As a
bonus, if the context is changed by other means (either legitimately or
not) CFEngine will fix that as well.
I'm not sure if CFEngine has SELinux support (I haven't seen anything
but I haven't looked!) but it would be a very useful addition. And at
the same time add support for AppArmor as well. I imagine it would be
part of the "perms" body.
Shane.