我写了一个PAM模块。该 PAM 模块由进程 gdm-password 和 gnome-screensaver(在 RHEL 6.4 上找到)加载。 pam 模块想要将一些日志写入用户主目录 /home/USER/appdir/data.db 下的 db 文件。但 SELinux 阻止了这种访问。我已经通过禁用 SELinux 验证了这一点。
我在某处读到我可以更改 FILE_TYPE 以允许访问,但不确定在这种情况下哪种文件类型适用。
SELinux is preventing /usr/libexec/gdm-session-worker from lock access on the file /home/USER/.appname/0.db.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that gdm-session-worker should be allowed lock access on the 0.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
...
我有另一个 SELinux 阻止访问的文件。按照建议,我将 FILE_TYPE 更改为 pam_var_run_t 并且它有效。我正在尝试查找有关此文件类型的详细信息并确认我是否选择了正确的文件类型。
SELinux is preventing /usr/libexec/gdm-session-worker from write access on the file /var/cache/mysharedstore/mydatastores.reg.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow gdm-session-worker to have write access on the mydatastores.reg file
Then you need to change the label on /var/cache/mysharedstore/mydatastores.reg
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/mysharedstore/mydatastores.reg'
where FILE_TYPE is one of the following: etc_runtime_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, xkb_var_lib_t, anon_inodefs_t, gconf_home_t, xdm_rw_etc_t, user_cron_spool_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, wtmp_t, afs_cache_t, xdm_t, user_fonts_t, user_tmpfs_t, user_tmp_t, xdm_spool_t, xserver_tmpfs_t, fonts_cache_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, security_t, xserver_log_t, proc_afs_t, faillog_t, puppet_tmp_t, xdm_tmp_t, lastlog_t, xdm_log_t, gnome_home_type, initrc_var_run_t, krb5_host_rcache_t, nfs_t, security_t.
Then execute:
restorecon -v '/var/cache/mydatastore/myatastores.reg'...