If, like me, you use searchd and mysql then selinux will provoke the following message:
ERROR 1429 (HY000): Unable to connect to foreign data source: failed to connect to searchd (host=127.0.0.1, errno=13, port=931
The solution is simple:
semanage port -a -t mysqld_port_t -p tcp 9312
While CentOS ships with a policy module for daemontools, it expects you to install things in /admin and /supervised. I don't, I put things in /var/daemontools/admin and /var/daemontools/supervised. So I spent far to much time trying to make a policy module that would work with my setup. My initial attempt worked and gave me hope :
cp /usr/share/selinux/devel/include/contrib/daemontools.{if,te,cf} .
joe daemontools.cf # changed all the dirs to /var/daemontools
make -f /usr/share/selinux/devel/include/Makefile
semodule -i daemontoos.pp
However, this replaced the default daemontools module and might mess with other systems. I'm probably the last person to care about daemontools outside of qmail. Also, I wanted to learn some selinux.
My next thought was that I could create a daemontools_quaero policy module that gave the executables an fcontext from daemontools module. This didn't work and I don't know why.
After turning to IRC and much messing around and back and forth, grift led me to the following solution:cat - > daemontools_quaero.cil <<'CIL' (filecon "/var/daemontools/admin/daemontools-0.76/command/envdir" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/envuidgid" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/fghack" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/multilog" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/pgrphack" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/setlock" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/setuidgid" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/softlimit" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/svc" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/svok" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/svscan" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/svscanboot" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/admin/daemontools-0.76/command/supervise" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/prog-log" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/prog-user" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/sudo-user" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/.+/env" dir (system_u object_r svc_conf_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/.+/run" file (system_u object_r bin_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/.+/log/env" dir (system_u object_r svc_conf_t ((s0)(s0)))) (filecon "/var/daemontools/supervised/.+/log/run" file (system_u object_r bin_t ((s0)(s0)))) CIL sudo semodule -i daemontools_quaero.cil sudo restorecon -RvF /var/daemontools/admin/daemontools-0.76/command /var/daemontools/supervised/
And there was much rejoicing.
Along the way, I discovered semodule -E, matchpathcon and the policy language as well as sesearch, seinfo, ps auxZ, ls -lZ.