-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/10/2013 12:36 PM, Eric Chennells wrote:
Hello,
I must be missing something in my understanding of selinux but I'm having
problem where the root user can not change the selinux type of a directory.
I am running in targeted mode.
I was experimenting and changed the type of /tmp/bah to "unconfined_t". I
am now unable to either delete the directory or to change the type back to
"tmp_t "
You must have done this while in permissive mode, since unconfined_t is a
process type not a file type, it would have been denied in enforcing mode.
chcon -R -t tmp_t /tmp/bah/
Now you aretrying to relabelfrom unconfined_t to tmp_t, and the policy is
blocking you from this since you are relabeling from an domain type on a file
to a file type. unconfined_t is allowed to relabel from any file_type to any
other file_type but not from a process_type to a file_type.
setenforce 0
chcon -t tmp_t /tmp/bah will work
setenforce 1
chcon -t unconfined_t /tmp/bah
chcon: failed to change context of ‘/tmp/bah’ to
‘staff_u:object_r:unconfined_t:s0’: Permission denied
Which is what should happen.
With an avc that looks like.
time->Wed Jul 10 12:46:07 2013
type=PATH msg=audit(1373474767.322:9421): item=0 name="/tmp/bah" inode=415267
dev=00:1e mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1373474767.322:9421): cwd="/root"
type=SYSCALL msg=audit(1373474767.322:9421): arch=c000003e syscall=188
success=no exit=-13 a0=155d0e0 a1=323fc183be a2=155e610 a3=21 items=1
ppid=28478 pid=28502 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=16 tty=pts0 comm="chcon" exe="/usr/bin/chcon"
subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1373474767.322:9421): avc: denied { relabelto } for
pid=28502 comm="chcon" name="bah" dev="tmpfs" ino=415267
scontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:unconfined_t:s0 tclass=dir
Saying you are not allowed to relabel to unconfined_t.
Results in:
chcon: failed to change context of `/tmp/bah/' to
`unconfined_u:object_r:tmp_t:s0': Permission denied
Audit2allow is suggesting "allow unconfined_t self:dir relabelfrom;" but
I don't want to apply that because it seems that would allow all
unconfined files/processes to relabel themselves, is that correct?
Thanks for any tips.
Eric
Notice of Confidentiality: The information transmitted is intended only for
the person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, re-transmission, dissemination or
other use of or taking of any action in reliance upon this information by
persons or entities other than the intended recipient is prohibited. If you
received this in error please contact the sender immediately by return
electronic transmission and then immediately delete this transmission
including all attachments without copying, distributing or disclosing the
same.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlHdkAYACgkQrlYvE4MpobO7cACgotjGCKxPGfGhB0lqW8eC1Cfb
LFIAoKQrU0fWqnzeDVUjlVCXkTD3/2M+
=EkZU
-----END PGP SIGNATURE-----