<br><br><div class="gmail_quote">On Thu, Jan 13, 2011 at 11:28 AM, Stephen Smalley <span dir="ltr"><<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">On Thu, 2011-01-13 at 08:14 -0500, Stephen Smalley wrote:<br>
> On Wed, 2011-01-12 at 21:03 +0000, Paul Howarth wrote:<br>
> > On Wed, 12 Jan 2011 13:02:21 -0500<br>
> > Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>> wrote:<br>
> > > On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:<br>
> > > > Hi,<br>
> > > ><br>
> > > > I have two HDs on my computer: one with rhel5 5.5 and the other with<br>
> > > > fedora 14.<br>
> > > > Both systems share some directories located in a common /home,<br>
> > > > mainly used by the httpd process.<br>
> > > ><br>
> > > > The problem is that selinux in fedora 14 uses "unrestricted_u" by<br>
> > > > default for all users, which rel5 does not understand,<br>
> > > > and any file labeled that way is treated as "unlabeled_t" in rhel5.<br>
> > > ><br>
> > > > I tried to relabel all files in Fedora 14 using "chcon -R -u user_u<br>
> > > > -t user_home_t" , for instance,<br>
> > > > but every new file is still created as "unrestricted_u".<br>
> > > ><br>
> > > > I know very little about selinux, and I would like to know how to<br>
> > > > force all files in F14 to be user_u,<br>
> > > > but keeping the user owning those files, unrestricted.<br>
> > > ><br>
> > > > Is that possible? Is there a better solution for not having tons of<br>
> > > > denials in rhel5?<br>
> > > ><br>
> > > > Thanks.<br>
> > > ><br>
> > > > --<br>
> > > > Paulo Roma Cavalcanti<br>
> > > > LCG - UFRJ<br>
> > > ><br>
> > > One solution would be to mount with a context on one of the platforms.<br>
> > ><br>
> > > On RHEL5 mount the users homedir with a context of nfs_t, and set the<br>
> > > boolean to say allow nfs homedirs<br>
> > ><br>
> > ><br>
> > > mount -o context="system_u:object_r:nfs_t:s0" /dev/ABC /home<br>
> > > setsebool -P use_nfs_home_dirs 1<br>
> ><br>
> > What happens with newly-created files whilst booted in RHEL-5 in this<br>
> > case? What will Fedora 14 see them as?<br>
><br>
> Not sure what the RHEL-5 kernel does; in modern kernels, it won't set a<br>
> context on disk when creating new files in a filesystem mounted with<br>
> context= and thus they will show up as unlabeled if mounted without a<br>
> context= mount option in Fedora-14. You could mount it with a context=<br>
> option in both, or run restorecon on it when booting Fedora-14.<br>
<br>
</div></div>Sorry, not "unlabeled" but rather with the default file context for<br>
files without an xattr, which in this case would be file_t.<br>
<div><div></div><div class="h5"><br>
<br></div></div></blockquote><div><br>Here it goes: <br></div></div><br>----<br>type=SYSCALL msg=audit(01/13/2011 07:31:09.274:38) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c30 a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2270 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 07:31:09.274:38) : avc: denied { search } for pid=2270 comm=httpd name=repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir <br>
----<br>type=SYSCALL msg=audit(01/13/2011 07:31:09.287:39) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d50 a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230 pid=2270 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 07:31:09.287:39) : avc: denied { getattr } for pid=2270 comm=httpd path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir <br>
----<br>type=SYSCALL msg=audit(01/13/2011 09:33:05.718:46) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c00 a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2271 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 09:33:05.718:46) : avc: denied { search } for pid=2271 comm=httpd name=repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir <br>
----<br>type=SYSCALL msg=audit(01/13/2011 09:33:05.719:47) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d08 a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230 pid=2271 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 09:33:05.719:47) : avc: denied { getattr } for pid=2271 comm=httpd path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir <br>
----<br>type=SYSCALL msg=audit(01/13/2011 09:33:10.698:49) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d50 a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230 pid=2272 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 09:33:10.698:49) : avc: denied { getattr } for pid=2272 comm=httpd path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir <br>
----<br>type=SYSCALL msg=audit(01/13/2011 09:33:10.698:48) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c30 a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2272 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) <br>
type=AVC msg=audit(01/13/2011 09:33:10.698:48) : avc: denied { search } for pid=2272 comm=httpd name=repodata dev=sda4 ino=31331129 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir<br clear="all">
<br>-- <br>Paulo Roma Cavalcanti<br>LCG - UFRJ<br>