Creating files from initrc_t

Mon Jan 23 16:48:12 UTC 2012

> From: Dominick Grift
> Sent: 23 January 2012 16:20
> 
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> > Hi
> >
> > On CentOS 5.6, I have just noticed that if a process running under
> context
> > initrc_t creates a file or directory within a user's home directory,
> that
> > object gets user_home_dir_t.
> >
> > If an unconfined_t process does the same thing, they correctly get
> > user_home_t.
> >
> > Was this a bug or a feature?
> >
> > selinux-policy-2.4.6-300.el5_6.1
> > selinux-policy-targeted-2.4.6-300.el5_6.1
> >
> >
> > Moray.
> > "To err is human; to purr, feline."
> 
> I guess that depends on how you look at it but compared to recent
> fedora
> policy i guess you could consider this to be a bug.
> 
> This is supported in Fedora 16:
> 
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
>    type_transition initrc_t user_home_dir_t : file user_home_t;
>    type_transition initrc_t user_home_dir_t : dir user_home_t;
>    type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
>    type_transition initrc_t user_home_dir_t : sock_file user_home_t;
>    type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
> 

Thanks Dominick.  I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6.

Moray.
“To err is human; to purr, feline.”