Ales, Nir thank you for the fast response.
On Tue, Mar 9, 2021, 14:21 Ales Musil <amusil(a)redhat.com> wrote:
Sanlock use 0775 for good reason. Sanlock is started as root, and it needs permissions to create the pid file before dropping privileges. It may be possible to solve this with better selinux policy but nobody contributed this.
Can you explain what is the actual issue with this configuration? I got an answer from a colleague for that question: The user sanlock is still owner of the folder and should be able to create files in there, especially when sanlock is started as root. We just want to lower the rights for the group. Which is root. This might be a more or less abstract potentials risk, as a user that is not ‘root’ being member of group root might be not that common. Still, this is a standard procedure on the servers that a home-folder of a user usually has r-x for the user’ s group and our security check marks this a potential risk.
BR Aleksandr