I am having some trouble with a couple of my files' SELinux context with my openstack-swift setup
Setup details:
A daemon is running swift-object-replicator with following SELinux context
system_u:system_r:swift_t:s0 swift ... /usr/bin/python /usr/bin/swift-object-replicator /etc/swift/object-server.conf
This daemon calls a script periodically. The file created by that script has the following SELinux context
system_u:object_r:swift_var_cache_t:s0 /var/cache/swift/object.recon
Which is correct !!
The issue
If I run the same script(which that daemon is calling internally) from a terminal as 'root', the object.recon file SELinux context is modified as below -rw-------. swift swift unconfined_u:object_r:var_t:s0 /var/cache/swift/object.recon
And then I start seeing error messages in that daemon's log files
Any idea why the context changes and how to preserve it even if I wish to trigger the script from a terminal
I figured out 2 ways to retain the contexts:
Use runcon to run the command with correct context
runcon -t swift_t -r system_r swift-object-replicator /etc/swift/object-server.conf -ov
Or, define a SELinux type_transition rule so that user with unconfined_t domain while executing the script transitions to the correct domain
require {
type unconfined_t;
type swift_exec_t;
type swift_t;
role unconfined_r;
class process transition;
}
role unconfined_r types swift_t;
type_transition unconfined_t swift_exec_t:process swift_t;