Creating home directories with wrong context

Daniel J Walsh dwalsh at redhat.com
Sat Jan 10 12:03:17 UTC 2015 

On 01/08/2015 09:22 PM, Jayson Hurst wrote:
> I am trying to figure out why a policy that was written on RHEL 6.0
> doesn't work the same on RHEL 6.5.
>
> I have a policy whose domain is vasd_t
>  
> I am using the userdomain.if interface call which is supposed to give
> the domain access to create directories in the home dir root with the
> user home directory type.
>   userdom_home_filetrans_user_home_dir(vasd_t)
>
> Which calls:
>   files_home_filetrans($1, user_home_dir_t, dir)
> Which calls:
>   filetrans_pattern($1, home_root_t, $2, $3)
>  
> Which is defined as:
>         allow $1 $2:dir rw_dir_perms;
>         type_transition $1 $2:$4 $3;
>  
> I would expect this to allow me to create a new directory in /home
> which is of type home_root_t, but what I am seeing is that the new
> homedir is being created with the type of home_root_t and not
> user_home_dir_t as expected.
>  
> I have also tried not calling the interface methods and defining it by
> hand as:
>  
> allow vasd_t home_root_t:dir rw_dir_perms;
> type_transition vasd_t home_root_t:dir user_home_dir_t;
>
> I have also tried calling userdom_create_user_home_dirs(vasd_t)
>  
> sesearch shows:
>  
> $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t
>    allow vasd_t home_root_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
>  
> The way the daemon works that is associated to the vasd_t domain is
> that it calls a script that does the actual creation of the homedir. I
> believe the problem lies in this fact that perhaps the script isn't
> being invoked in a way to give it proper creation rights.
>  
> Like I said this use to work in RHEL 6.0 but now I cannot seem to get
> it to work in 6.5. Any  help would be appreciated. I don't know what I
> am missing here.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

You should only need.
userdom_home_filetrans_user_home_dir(vasd_t)

You need to look at your transition rules.

sesearch -T -s vasd_t -t home_root_t -c file


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150110/7678f517/attachment.html>

More information about the selinux mailing list