[OpenAFS] Re: problem with dbservers running under bosserver

[Andrew Deason]

On Wed, 15 Feb 2012 18:51:37 -0500
Kevin Coffman <kwc@citi.umich.edu> wrote:

> Everything worked while strace'ing the bosserver.  I changed SELinux
> to "Permissive" mode and everything now works while running from the
> init script.
> 
> Any SELinux experts out there that can point me at how to fix things
> up so SELinux is happy?  (I'll run in permissive mode for now!)

Well, it depends on what you want to do. If you want to actually run
OpenAFS under the security of SELinux, you or someone needs to create
the policy and assign appropriate contexts to everything. I don't think
anyone's created SELinux policies for OpenAFS server daemons, so if you
just want the rest of the system adhering to SELinux, but not the
OpenAFS servers, you can run bosserver in an unconfined context. It's
been quite a while since I've done anything with SELinux but I _think_
something like...

chcon -h root:object_r:unconfined_exec_t /usr/afs/bin/bosserver

will make bosserver run without SELinux restrictions. 'ls -lZ' can show
you the context of various files (like those in /usr/afs/local), and
'ps -efZ' can say what context bosserver is running with.

That is, if that works, it just works temporarily until the files are
relabeled or I assume if you reinstall/upgrade the binary. I assume
we're supposed to package context/policy information in the RPMs in some
fashion.

-- 
Andrew Deason
adeason@sinenomine.net