Creating files from initrc_t

Moray Henderson Moray.Henderson at ict-software.org
Mon Jan 23 17:08:51 UTC 2012 

> From: Trevor Hemsley
> Sent: 23 January 2012 16:40
> Daniel J Walsh wrote:
> > On 01/23/2012 11:19 AM, Dominick Grift wrote:
> > > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> > >> Hi
> > >>
> > >> On CentOS 5.6, I have just noticed that if a process running
> > >> under context initrc_t creates a file or directory within a
> > >> user's home directory, that object gets user_home_dir_t.
> > >>
> > >> If an unconfined_t process does the same thing, they correctly
> > >> get user_home_t.
> > >>
> > >> Was this a bug or a feature?
> > >>
> > >> selinux-policy-2.4.6-300.el5_6.1
> > >> selinux-policy-targeted-2.4.6-300.el5_6.1
> > >>
> > >>
> > >> Moray. "To err is human; to purr, feline."
> > > I guess that depends on how you look at it but compared to recent
> > > fedora policy i guess you could consider this to be a bug.
> >
> > > This is supported in Fedora 16:
> >
> > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> > > user_home_t type_transition initrc_t user_home_dir_t : file
> > > user_home_t; type_transition initrc_t user_home_dir_t : dir
> > > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> > > user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> > > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> > > user_home_t;
> >
> > Yes I would say it is a bug, since the goal of initrc_t is to work
> > properly as an unconfined domain.  Therefor it should create content
> > in the users homedir with as close to the "right" context as
> possible.
> >  Not sure what process you have running as initrc_t that is creating
> > content in the users homedir.  user_home_dir_t should only be the
> > label of the top level directory of a users homedir.
> I reported a similar problem on 19/02/2011 with a mail
> "recently-used.xbel wrong context". I hadn't managed to narrow it down
> to files created by initrc_t processes.

I'd forgotten the sesearch(1) command (haven't been in SELinux for a while).  When I saw that my custom daemon was running in initrc_t, I used "runcon -t initrc_t bash" (had to look that one up too) to give myself an initrc_t shell to try things out and compare to my normal unconfined_t shell.


Moray.
“To err is human; to purr, feline.”

More information about the selinux mailing list