On 2017-08-25 19:22, Steve Dower wrote:
Nice. I looked into SELinux and didn't find any docs about how to add labels. I'd really like to include links that help people actually implement this stuff - any tips?
You can use chcon (change context) to temporarily change the labels of a file or directory structure. However that is the recommended way to deal with SELinux labels. Typically SELinux types and labels are either defined in the system global policy or by additional package policies. File labels are usually set by rules. This has the advantage that new files automatically get the right context. Here is a simplified and partial example for a simple Python 'myservice'. When the service is started by the init system, the process is automatically transitions into the myservice_exec_t domain. # file context /usr/sbin/myservice -- gen_context(system_u:object_r:myservice_exec_t,s0) /usr/lib/python3.6(/.*)? gen_context(system_u:object_r:python_module_t,s0) # definitions type myservice_t; type myservice_exec_t; init_daemon_domain(myservice_t, myservice_exec_t) type python_module_t files_type(python_module_t) allow myservice_t python_module_t:file { getattr open read }; We can talk about SELinux during the sprint. If you like either Nick, Victor, or I could contact some engineers from SELinux (Dan) and Linux auditing team (Paul, RGB) here at Red Hat. Christian