Problems creating a directory in /usr
Dominick Grift
dominick.grift at gmail.com
Sat Feb 9 22:34:53 UTC 2013
On Fri, 2013-02-08 at 12:58 +0100, Miroslav Grepl wrote:
> On 02/08/2013 12:53 PM, Dominick Grift wrote:
> > On Fri, 2013-02-08 at 10:55 +0000, Clive Hills wrote:
> >
> >> which I find confusing as it makes no reference to the /usr/realman or
> >> for that matter /usr directories.
> >>
> >>
> >> Please advise what I need to do to have it writeable by this
> >> application (which is closed source to which I have no access.
> >>
> >>
> >> Many thanks
> >> Clive
> >>
> > In this case, if i really wanted this app, i would just let useradd
> > create that dir once (e.g. run the app in permissive mode the first time
> > so that it can create the dir: (setenforce 0; "run the app"; setenforce
> > 1)
> >
> > Basically this should not be allowed for useradd_t in policy. The /usr
> > directory is not for user home directories. a more appropriate location
> > would probably be /var/lib/realman.
> >
> > But once the directory is there then SELinux should probably no longer
> > have a problem, at least until you remove the app (then userdel will
> > probably be trying to remove it and be denied)
> >
> > Actually this is something to consider for the SELinux devs in the
> > future: I do not see a need to run useradd with a domain transition. It
> > only causes issiues like these for unconfined users.
> Dominick,
> do you run without this transition on your system? Basically we want to
> move some transitions in F19 from unconfined_t.
Nope but in theory it could maybe work. Just let unconfined_t type
transition to user_home_dir_t on dirs home_root_t dirs. Otherwise just
inherit the type of the parent.
There should only be homedirs in /home with the exception of lost+found
which we can define a named file transition for.
> >
> >
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list