selinux: rhel5 x fedora 14

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 13 14:13:33 UTC 2011 

On Thu, 2011-01-13 at 11:51 -0200, Paulo Cavalcanti wrote:
> 
> 
> On Thu, Jan 13, 2011 at 11:28 AM, Stephen Smalley <sds at tycho.nsa.gov>
> wrote:
>         
>         On Thu, 2011-01-13 at 08:14 -0500, Stephen Smalley wrote:
>         > On Wed, 2011-01-12 at 21:03 +0000, Paul Howarth wrote:
>         > > On Wed, 12 Jan 2011 13:02:21 -0500
>         > > Daniel J Walsh <dwalsh at redhat.com> wrote:
>         > > > On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:
>         > > > > Hi,
>         > > > >
>         > > > > I have two HDs on my computer: one with rhel5 5.5 and
>         the other with
>         > > > > fedora 14.
>         > > > > Both systems share some directories located in a
>         common /home,
>         > > > > mainly used by the httpd process.
>         > > > >
>         > > > > The problem is that selinux in fedora 14 uses
>         "unrestricted_u" by
>         > > > > default for all users, which rel5 does not understand,
>         > > > > and any file labeled that way is treated as
>         "unlabeled_t" in rhel5.
>         > > > >
>         > > > > I tried to relabel all files in Fedora 14 using "chcon
>         -R -u user_u
>         > > > > -t user_home_t" , for instance,
>         > > > > but every new file is still created as
>         "unrestricted_u".
>         > > > >
>         > > > > I know very little about selinux, and I would like to
>         know how to
>         > > > > force all files in F14 to be user_u,
>         > > > > but keeping the user owning those files, unrestricted.
>         > > > >
>         > > > > Is that possible? Is there a better solution for not
>         having tons of
>         > > > > denials in rhel5?
>         > > > >
>         > > > > Thanks.
>         > > > >
>         > > > > --
>         > > > > Paulo Roma Cavalcanti
>         > > > > LCG - UFRJ
>         > > > >
>         > > > One solution would be to mount with a context on one of
>         the platforms.
>         > > >
>         > > > On RHEL5 mount the users homedir with a context of
>         nfs_t, and set the
>         > > > boolean to say allow nfs homedirs
>         > > >
>         > > >
>         > > > mount -o
>         context="system_u:object_r:nfs_t:s0" /dev/ABC /home
>         > > > setsebool -P use_nfs_home_dirs 1
>         > >
>         > > What happens with newly-created files whilst booted in
>         RHEL-5 in this
>         > > case? What will Fedora 14 see them as?
>         >
>         > Not sure what the RHEL-5 kernel does; in modern kernels, it
>         won't set a
>         > context on disk when creating new files in a filesystem
>         mounted with
>         > context= and thus they will show up as unlabeled if mounted
>         without a
>         > context= mount option in Fedora-14.  You could mount it with
>         a context=
>         > option in both, or run restorecon on it when booting
>         Fedora-14.
>         
>         
>         Sorry, not "unlabeled" but rather with the default file
>         context for
>         files without an xattr, which in this case would be file_t.
>         
>         
>         
>         
> 
> Here it goes: 
> 
> 
> ----
> type=SYSCALL msg=audit(01/13/2011 07:31:09.274:38) : arch=x86_64
> syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c30
> a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2270
> auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache
> egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd
> exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
> type=AVC msg=audit(01/13/2011 07:31:09.274:38) : avc:  denied
> { search } for  pid=2270 comm=httpd name=repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(01/13/2011 07:31:09.287:39) : arch=x86_64
> syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d50
> a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230
> pid=2270 auid=unset uid=apache gid=apache euid=apache suid=apache
> fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset
> comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0
> key=(null) 
> type=AVC msg=audit(01/13/2011 07:31:09.287:39) : avc:  denied
> { getattr } for  pid=2270 comm=httpd
> path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(01/13/2011 09:33:05.718:46) : arch=x86_64
> syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c00
> a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2271
> auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache
> egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd
> exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
> type=AVC msg=audit(01/13/2011 09:33:05.718:46) : avc:  denied
> { search } for  pid=2271 comm=httpd name=repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(01/13/2011 09:33:05.719:47) : arch=x86_64
> syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d08
> a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230
> pid=2271 auid=unset uid=apache gid=apache euid=apache suid=apache
> fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset
> comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0
> key=(null) 
> type=AVC msg=audit(01/13/2011 09:33:05.719:47) : avc:  denied
> { getattr } for  pid=2271 comm=httpd
> path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(01/13/2011 09:33:10.698:49) : arch=x86_64
> syscall=lstat success=no exit=-13(Permission denied) a0=7ff594509d50
> a1=7ffff3924c40 a2=7ffff3924c40 a3=2f534d50522f6c6d items=0 ppid=2230
> pid=2272 auid=unset uid=apache gid=apache euid=apache suid=apache
> fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset
> comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0
> key=(null) 
> type=AVC msg=audit(01/13/2011 09:33:10.698:49) : avc:  denied
> { getattr } for  pid=2272 comm=httpd
> path=/home/packages/rpms/myrpms-el5-x86_64/repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(01/13/2011 09:33:10.698:48) : arch=x86_64
> syscall=stat success=no exit=-13(Permission denied) a0=7ff594509c30
> a1=7ffff3924c40 a2=7ffff3924c40 a3=0 items=0 ppid=2230 pid=2272
> auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache
> egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd
> exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
> type=AVC msg=audit(01/13/2011 09:33:10.698:48) : avc:  denied
> { search } for  pid=2272 comm=httpd name=repodata dev=sda4
> ino=31331129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir

BTW, there is a selinux at lists.fedoraproject.org for SELinux-specific
questions.
http://lists.fedoraproject.org/mailman/listinfo/selinux

-- 
Stephen Smalley
National Security Agency

More information about the devel mailing list