90 lines
2.7 KiB
Plaintext
90 lines
2.7 KiB
Plaintext
=====================================================
|
|
RELOCATING THE CACHE WITH SELINUX ENFORCEMENT ENABLED
|
|
=====================================================
|
|
|
|
If the cache is being used on a system on which SELinux is active and running
|
|
in enforcing mode, then the security policy installed by the cachefilesd RPM
|
|
needs to be updated to permit the CacheFiles module and daemon to access the
|
|
cache if the cache is moved.
|
|
|
|
The simplest way to do this is to add an auxiliary policy to mark out the
|
|
location of the new cache, whilst leaving the old location still available for
|
|
caching. If anything more is required, then it will be necessary to modify the
|
|
policy that is installed.
|
|
|
|
Example sources for the installed policy will be themselves installed by the
|
|
cachefilesd RPM in:
|
|
|
|
/usr/share/doc/cachefilesd/
|
|
|
|
See the files named:
|
|
|
|
cachefilesd.te
|
|
cachefilesd.fc
|
|
cachefilesd.if
|
|
|
|
The policy actually used for the defaults, however, is part of the SELinux
|
|
package.
|
|
|
|
|
|
==========================
|
|
ADDING AN AUXILIARY POLICY
|
|
==========================
|
|
|
|
Creating and adding an auxiliary policy is very easy. Follow the following
|
|
steps:
|
|
|
|
(0) Check that checkpolicy and selinux-policy* packages are installed. These
|
|
are needed to build your policy.
|
|
|
|
(1) Create a new directory and go into it.
|
|
|
|
(2) Create a source file to reference the security ID already set up for files
|
|
in the cache as you'll need these to label your own cache directory.
|
|
Assuming you're going to name your policy "mycache", this would have to be
|
|
called "mycache.te":
|
|
|
|
[mycache.te]
|
|
policy_module(mycache,1.0.0)
|
|
require { type cachefiles_var_t; }
|
|
|
|
(3) Create a source file to note the directory in which you wish your cache to
|
|
reside. This file should be named for your policy, plus a ".fc" suffix:
|
|
|
|
[mycache.fc]
|
|
/mycache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
|
|
|
|
This specifies the security ID for the directory in which your cache will
|
|
live and all its descendents. Replace "/mycache" with the path to your
|
|
cache's directory.
|
|
|
|
(4) Build the policy:
|
|
|
|
make -f /usr/share/selinux/devel/Makefile
|
|
|
|
(5) And install it:
|
|
|
|
semodule -i mycache.pp
|
|
|
|
(6) Create your directory and tell SELinux to label it appropriately:
|
|
|
|
mkdir /mycache
|
|
restorecon /mycache
|
|
|
|
(7) Check that the directory is labelled appropriately:
|
|
|
|
ls -dZ /mycache
|
|
|
|
(8) Modify /etc/cachefilesd.conf to point to the correct directory and then
|
|
start the cachefilesd service.
|
|
|
|
|
|
The auxiliary policy can be later removed by:
|
|
|
|
semodule -r mycache.pp
|
|
|
|
If the policy is updated, then the version number in policy_module() in
|
|
mycache.te should be increased and the module upgraded:
|
|
|
|
semodule -u mycache.pp
|