10:19 a.m.
On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
Hi
On CentOS 5.6, I have just noticed that if a process running under context
initrc_t creates a file or directory within a user's home directory, that
object gets user_home_dir_t.
If an unconfined_t process does the same thing, they correctly get
user_home_t.
Was this a bug or a feature?
selinux-policy-2.4.6-300.el5_6.1
selinux-policy-targeted-2.4.6-300.el5_6.1
Moray.
"To err is human; to purr, feline."
I guess that depends on how you look at it but compared to recent fedora
policy i guess you could consider this to be a bug.
This is supported in Fedora 16:
# sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
type_transition initrc_t user_home_dir_t : file user_home_t;
type_transition initrc_t user_home_dir_t : dir user_home_t;
type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
type_transition initrc_t user_home_dir_t : sock_file user_home_t;
type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
10:33 a.m.
New subject: Creating files from initrc_t
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2012 11:19 AM, Dominick Grift wrote:
On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> Hi
>
> On CentOS 5.6, I have just noticed that if a process running
> under context initrc_t creates a file or directory within a
> user's home directory, that object gets user_home_dir_t.
>
> If an unconfined_t process does the same thing, they correctly
> get user_home_t.
>
> Was this a bug or a feature?
>
> selinux-policy-2.4.6-300.el5_6.1
> selinux-policy-targeted-2.4.6-300.el5_6.1
>
>
> Moray. "To err is human; to purr, feline."
I guess that depends on how you look at it but compared to recent
fedora policy i guess you could consider this to be a bug.
This is supported in Fedora 16:
# sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
user_home_t type_transition initrc_t user_home_dir_t : file
user_home_t; type_transition initrc_t user_home_dir_t : dir
user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
user_home_t; type_transition initrc_t user_home_dir_t : sock_file
user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
user_home_t;
>
>
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain. Therefor it should create content
in the users homedir with as close to the "right" context as possible.
Not sure what process you have running as initrc_t that is creating
content in the users homedir. user_home_dir_t should only be the
label of the top level directory of a users homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8di98ACgkQrlYvE4MpobO8CgCgroBW2j0VHlPRR1TzbIZS+zbm
6/cAnAsVW5BIsJU1KcqXYi+Iu7DwDoMH
=p58K
-----END PGP SIGNATURE-----
10:40 a.m.
New subject: Creating files from initrc_t
Daniel J Walsh wrote:
On 01/23/2012 11:19 AM, Dominick Grift wrote:
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>>
>> On CentOS 5.6, I have just noticed that if a process running
>> under context initrc_t creates a file or directory within a
>> user's home directory, that object gets user_home_dir_t.
>>
>> If an unconfined_t process does the same thing, they correctly
>> get user_home_t.
>>
>> Was this a bug or a feature?
>>
>> selinux-policy-2.4.6-300.el5_6.1
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>
>>
>> Moray. "To err is human; to purr, feline."
> I guess that depends on how you look at it but compared to recent
> fedora policy i guess you could consider this to be a bug.
> This is supported in Fedora 16:
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t type_transition initrc_t user_home_dir_t : file
> user_home_t; type_transition initrc_t user_home_dir_t : dir
> user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
>>
>>
>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> -- selinux mailing list selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain. Therefor it should create content
in the users homedir with as close to the "right" context as possible.
Not sure what process you have running as initrc_t that is creating
content in the users homedir. user_home_dir_t should only be the
label of the top level directory of a users homedir.
I reported a similar problem
on 19/02/2011 with a mail
"recently-used.xbel wrong context". I hadn't managed to narrow it down
to files created by initrc_t processes.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
11:08 a.m.
New subject: Creating files from initrc_t
From: Trevor Hemsley
Sent: 23 January 2012 16:40
Daniel J Walsh wrote:
> On 01/23/2012 11:19 AM, Dominick Grift wrote:
> > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> >> Hi
> >>
> >> On CentOS 5.6, I have just noticed that if a process running
> >> under context initrc_t creates a file or directory within a
> >> user's home directory, that object gets user_home_dir_t.
> >>
> >> If an unconfined_t process does the same thing, they correctly
> >> get user_home_t.
> >>
> >> Was this a bug or a feature?
> >>
> >> selinux-policy-2.4.6-300.el5_6.1
> >> selinux-policy-targeted-2.4.6-300.el5_6.1
> >>
> >>
> >> Moray. "To err is human; to purr, feline."
> > I guess that depends on how you look at it but compared to recent
> > fedora policy i guess you could consider this to be a bug.
>
> > This is supported in Fedora 16:
>
> > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> > user_home_t type_transition initrc_t user_home_dir_t : file
> > user_home_t; type_transition initrc_t user_home_dir_t : dir
> > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> > user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> > user_home_t;
>
> Yes I would say it is a bug, since the goal of initrc_t is to work
> properly as an unconfined domain. Therefor it should create content
> in the users homedir with as close to the "right" context as
possible.
> Not sure what process you have running as initrc_t that is creating
> content in the users homedir. user_home_dir_t should only be the
> label of the top level directory of a users homedir.
I reported a similar problem on 19/02/2011 with a mail
"recently-used.xbel wrong context". I hadn't managed to narrow it down
to files created by initrc_t processes.
I'd forgotten the sesearch(1) command (haven't been in SELinux for a while). When
I saw that my custom daemon was running in initrc_t, I used "runcon -t initrc_t
bash" (had to look that one up too) to give myself an initrc_t shell to try things
out and compare to my normal unconfined_t shell.
Moray.
“To err is human; to purr, feline.”
10:48 a.m.
New subject: Creating files from initrc_t
From: Dominick Grift
Sent: 23 January 2012 16:20
On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> Hi
>
> On CentOS 5.6, I have just noticed that if a process running under
context
> initrc_t creates a file or directory within a user's home directory,
that
> object gets user_home_dir_t.
>
> If an unconfined_t process does the same thing, they correctly get
> user_home_t.
>
> Was this a bug or a feature?
>
> selinux-policy-2.4.6-300.el5_6.1
> selinux-policy-targeted-2.4.6-300.el5_6.1
>
>
> Moray.
> "To err is human; to purr, feline."
I guess that depends on how you look at it but compared to recent
fedora
policy i guess you could consider this to be a bug.
This is supported in Fedora 16:
# sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
type_transition initrc_t user_home_dir_t : file user_home_t;
type_transition initrc_t user_home_dir_t : dir user_home_t;
type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
type_transition initrc_t user_home_dir_t : sock_file user_home_t;
type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
Thanks Dominick. I may still just work around it with restorecon for now, but if
necessary add those transitions to custom policy when I upgrade to CentOS 6.
Moray.
“To err is human; to purr, feline.”
11:49 a.m.
New subject: Creating files from initrc_t
On 01/23/2012 04:48 PM, Moray Henderson wrote:
> From: Dominick Grift
> Sent: 23 January 2012 16:20
>
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>>
>> On CentOS 5.6, I have just noticed that if a process running under
> context
>> initrc_t creates a file or directory within a user's home directory,
> that
>> object gets user_home_dir_t.
>>
>> If an unconfined_t process does the same thing, they correctly get
>> user_home_t.
>>
>> Was this a bug or a feature?
>>
>> selinux-policy-2.4.6-300.el5_6.1
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>
>>
>> Moray.
>> "To err is human; to purr, feline."
> I guess that depends on how you look at it but compared to recent
> fedora
> policy i guess you could consider this to be a bug.
>
> This is supported in Fedora 16:
>
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
> type_transition initrc_t user_home_dir_t : file user_home_t;
> type_transition initrc_t user_home_dir_t : dir user_home_t;
> type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
> type_transition initrc_t user_home_dir_t : sock_file user_home_t;
> type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
>
Thanks Dominick. I may still just work around it with restorecon for now, but if
necessary add those transitions to custom policy when I upgrade to CentOS 6.
What
kind is your application which is running as initrc_t? Maybe we
could also try to find a proper domain for this apps.
Moray.
“To err is human; to purr, feline.”
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
10:17 a.m.
New subject: Creating files from initrc_t
From: Miroslav Grepl [mailto:mgrepl@redhat.com]
Sent: 24 January 2012 17:50
To: selinux(a)lists.fedoraproject.org
Cc: Moray Henderson (ICT)
Subject: Re: Creating files from initrc_t
On 01/23/2012 04:48 PM, Moray Henderson wrote:
>> From: Dominick Grift
>> Sent: 23 January 2012 16:20
>>
>> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>>> Hi
>>>
>>> On CentOS 5.6, I have just noticed that if a process running under
>> context
>>> initrc_t creates a file or directory within a user's home
directory,
>> that
>>> object gets user_home_dir_t.
>>>
>>> If an unconfined_t process does the same thing, they correctly get
>>> user_home_t.
>>>
>>> Was this a bug or a feature?
>>>
>>> selinux-policy-2.4.6-300.el5_6.1
>>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>>
>>>
>>> Moray.
>>> "To err is human; to purr, feline."
>> I guess that depends on how you look at it but compared to recent
>> fedora
>> policy i guess you could consider this to be a bug.
>>
>> This is supported in Fedora 16:
>>
>> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
user_home_t
>> type_transition initrc_t user_home_dir_t : file user_home_t;
>> type_transition initrc_t user_home_dir_t : dir user_home_t;
>> type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
>> type_transition initrc_t user_home_dir_t : sock_file
user_home_t;
>> type_transition initrc_t user_home_dir_t : fifo_file
user_home_t;
>>
> Thanks Dominick. I may still just work around it with restorecon for
now, but if necessary add those transitions to custom policy when I
upgrade to CentOS 6.
What kind is your application which is running as initrc_t? Maybe we
could also try to find a proper domain for this apps.
It's an in-house-written daemon that allows some level of remote administration for
our servers. It can receive a request to create a user, and to create an application
configuration file in their home directory. We can also ask it to report on the
server's disk usage and various configuration and log files. It was the application
configuration file part that was running into trouble; everything else works perfectly*.
We did look at other remote administration systems that are out there, such as Webmin, but
they either offered too much or too little for our needs.
Moray.
“To err is human; to purr, feline.”
* "any human thing supposed to be complete, must for that very reason infallibly be
faulty."
- Herman Melville, Moby-Dick
4469
days inactive
4470
days old
selinux@lists.fedoraproject.org
6 comments
5 participants
participants (5)
-
Daniel J Walsh -
Dominick Grift -
Miroslav Grepl -
Moray Henderson -
Trevor Hemsley