Creating home directories with wrong context
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 14 15:49:56 UTC 2015
Is it in an optional block? Could you send me your policy?
On 01/12/2015 11:48 AM, Jayson Hurst wrote:
> I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin
> method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
>
> $ sesearch -T -s vasd_t -t home_root_t -c file
>
> $
>
> The command above returns a blank line.
>
> Could I there be a conflicting rule that might be causing me
> problems. Where do I look to figure out why this no longer works?
>
> ------------------------------------------------------------------------
> Date: Sat, 10 Jan 2015 07:03:17 -0500
> From: dwalsh at redhat.com
> To: swazup at hotmail.com; selinux at lists.fedoraproject.org
> Subject: Re: Creating home directories with wrong context
>
>
> On 01/08/2015 09:22 PM, Jayson Hurst wrote:
>
> I am trying to figure out why a policy that was written on RHEL
> 6.0 doesn't work the same on RHEL 6.5.
>
> I have a policy whose domain is vasd_t
>
> I am using the userdomain.if interface call which is supposed to
> give the domain access to create directories in the home dir root
> with the user home directory type.
> userdom_home_filetrans_user_home_dir(vasd_t)
>
> Which calls:
> files_home_filetrans($1, user_home_dir_t, dir)
> Which calls:
> filetrans_pattern($1, home_root_t, $2, $3)
>
> Which is defined as:
> allow $1 $2:dir rw_dir_perms;
> type_transition $1 $2:$4 $3;
>
> I would expect this to allow me to create a new directory in /home
> which is of type home_root_t, but what I am seeing is that the new
> homedir is being created with the type of home_root_t and not
> user_home_dir_t as expected.
>
> I have also tried not calling the interface methods and defining
> it by hand as:
>
> allow vasd_t home_root_t:dir rw_dir_perms;
> type_transition vasd_t home_root_t:dir user_home_dir_t;
>
> I have also tried calling userdom_create_user_home_dirs(vasd_t)
>
> sesearch shows:
>
> $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t
> allow vasd_t home_root_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
>
> The way the daemon works that is associated to the vasd_t domain
> is that it calls a script that does the actual creation of the
> homedir. I believe the problem lies in this fact that perhaps the
> script isn't being invoked in a way to give it proper creation rights.
>
> Like I said this use to work in RHEL 6.0 but now I cannot seem to
> get it to work in 6.5. Any help would be appreciated. I don't
> know what I am missing here.
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> You should only need.
> userdom_home_filetrans_user_home_dir(vasd_t)
>
> You need to look at your transition rules.
>
> sesearch -T -s vasd_t -t home_root_t -c file
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150114/aee66f95/attachment.html>
More information about the selinux
mailing list