Creating files from initrc_t
Miroslav Grepl
mgrepl at redhat.com
Tue Jan 24 17:49:43 UTC 2012
On 01/23/2012 04:48 PM, Moray Henderson wrote:
>> From: Dominick Grift
>> Sent: 23 January 2012 16:20
>>
>> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>>> Hi
>>>
>>> On CentOS 5.6, I have just noticed that if a process running under
>> context
>>> initrc_t creates a file or directory within a user's home directory,
>> that
>>> object gets user_home_dir_t.
>>>
>>> If an unconfined_t process does the same thing, they correctly get
>>> user_home_t.
>>>
>>> Was this a bug or a feature?
>>>
>>> selinux-policy-2.4.6-300.el5_6.1
>>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>>
>>>
>>> Moray.
>>> "To err is human; to purr, feline."
>> I guess that depends on how you look at it but compared to recent
>> fedora
>> policy i guess you could consider this to be a bug.
>>
>> This is supported in Fedora 16:
>>
>> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
>> type_transition initrc_t user_home_dir_t : file user_home_t;
>> type_transition initrc_t user_home_dir_t : dir user_home_t;
>> type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
>> type_transition initrc_t user_home_dir_t : sock_file user_home_t;
>> type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
>>
> Thanks Dominick. I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6.
What kind is your application which is running as initrc_t? Maybe we
could also try to find a proper domain for this apps.
>
> Moray.
> “To err is human; to purr, feline.”
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list