Creating files from initrc_t

Daniel J Walsh dwalsh at redhat.com
Mon Jan 23 16:33:35 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2012 11:19 AM, Dominick Grift wrote:
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>> 
>> On CentOS 5.6, I have just noticed that if a process running
>> under context initrc_t creates a file or directory within a
>> user's home directory, that object gets user_home_dir_t.
>> 
>> If an unconfined_t process does the same thing, they correctly
>> get user_home_t.
>> 
>> Was this a bug or a feature?
>> 
>> selinux-policy-2.4.6-300.el5_6.1 
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>> 
>> 
>> Moray. "To err is human; to purr, feline."
> 
> I guess that depends on how you look at it but compared to recent
> fedora policy i guess you could consider this to be a bug.
> 
> This is supported in Fedora 16:
> 
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t type_transition initrc_t user_home_dir_t : file
> user_home_t; type_transition initrc_t user_home_dir_t : dir
> user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
> 
> 
>> 
>> 
>> 
>> -- selinux mailing list selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain.  Therefor it should create content
in the users homedir with as close to the "right" context as possible.
 Not sure what process you have running as initrc_t that is creating
content in the users homedir.  user_home_dir_t should only be the
label of the top level directory of a users homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8di98ACgkQrlYvE4MpobO8CgCgroBW2j0VHlPRR1TzbIZS+zbm
6/cAnAsVW5BIsJU1KcqXYi+Iu7DwDoMH
=p58K
-----END PGP SIGNATURE-----

More information about the selinux mailing list