Creating files from initrc_t

Moray Henderson Moray.Henderson at ict-software.org
Tue Jan 24 16:17:37 UTC 2012 

> From: Miroslav Grepl [mailto:mgrepl at redhat.com]
> Sent: 24 January 2012 17:50
> To: selinux at lists.fedoraproject.org
> Cc: Moray Henderson (ICT)
> Subject: Re: Creating files from initrc_t
> 
> On 01/23/2012 04:48 PM, Moray Henderson wrote:
> >> From: Dominick Grift
> >> Sent: 23 January 2012 16:20
> >>
> >> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> >>> Hi
> >>>
> >>> On CentOS 5.6, I have just noticed that if a process running under
> >> context
> >>> initrc_t creates a file or directory within a user's home
> directory,
> >> that
> >>> object gets user_home_dir_t.
> >>>
> >>> If an unconfined_t process does the same thing, they correctly get
> >>> user_home_t.
> >>>
> >>> Was this a bug or a feature?
> >>>
> >>> selinux-policy-2.4.6-300.el5_6.1
> >>> selinux-policy-targeted-2.4.6-300.el5_6.1
> >>>
> >>>
> >>> Moray.
> >>> "To err is human; to purr, feline."
> >> I guess that depends on how you look at it but compared to recent
> >> fedora
> >> policy i guess you could consider this to be a bug.
> >>
> >> This is supported in Fedora 16:
> >>
> >> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t
> >>     type_transition initrc_t user_home_dir_t : file user_home_t;
> >>     type_transition initrc_t user_home_dir_t : dir user_home_t;
> >>     type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
> >>     type_transition initrc_t user_home_dir_t : sock_file
> user_home_t;
> >>     type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
> >>
> > Thanks Dominick.  I may still just work around it with restorecon for
> now, but if necessary add those transitions to custom policy when I
> upgrade to CentOS 6.
> What kind is your application which is running as initrc_t? Maybe we
> could also try to find a proper domain for this apps.

It's an in-house-written daemon that allows some level of remote administration for our servers.  It can receive a request to create a user, and to create an application configuration file in their home directory.  We can also ask it to report on the server's disk usage and various configuration and log files.  It was the application configuration file part that was running into trouble; everything else works perfectly*.

We did look at other remote administration systems that are out there, such as Webmin, but they either offered too much or too little for our needs.


Moray.
“To err is human; to purr, feline.”

* "any human thing supposed to be complete, must for that very reason infallibly be faulty." 
	- Herman Melville, Moby-Dick

More information about the selinux mailing list