A SELinux policy for incron: marking types eligible for watching
by Sven Vermeulen, post on Wed 29 May 2013In the
previous
post we made incrond able to watch public_content_t and
public_content_rw_t types. However, this is not scalable, so we might
want to be able to update the policy more dynamically with additional
types. To accomplish this, we will make types eligible for watching
through an attribute.
So how …
A SELinux policy for incron: default set
by Sven Vermeulen, post on Tue 28 May 2013I finished the last post a bit with a cliffhanger as incrond is still not working properly, and we got a few denials that needed to be resolved; here they are again for your convenience:
type=AVC msg=audit(1368734110.912:28353): avc: denied { getattr } for pid=9716 comm="incrond …A SELinux policy for incron: the incrond daemon
by Sven Vermeulen, post on Mon 27 May 2013With incrontab_t (hopefully) complete, let's look at the incrond_t
domain. As this domain will also be used to execute the user (and
system) commands provided through the incrontabs, we need to consider
how we are going to deal with this wide range of possible permissions
that it might take. One …