Root user unable to change type

Daniel J Walsh dwalsh at redhat.com
Wed Jul 10 16:47:02 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/10/2013 12:36 PM, Eric Chennells wrote:
> Hello,
> 
> I must be missing something in my understanding of selinux but I'm having 
> problem where the root user can not change the selinux type of a directory.
> I am running in targeted mode.
> 
> I was experimenting and changed the type of /tmp/bah to "unconfined_t".   I
> am now unable to either delete the directory or to change the type back to
> "tmp_t "
> 
You must have done this while in permissive mode, since unconfined_t is a
process type not a file type, it would have been denied in enforcing mode.
> chcon -R -t tmp_t /tmp/bah/
> 
Now you aretrying to relabelfrom unconfined_t to tmp_t, and the policy is
blocking you from this since you are relabeling from an domain type on a file
to a file type.  unconfined_t is allowed to relabel from any file_type to any
other file_type but not from a process_type to a file_type.

setenforce 0
chcon -t tmp_t /tmp/bah will work
setenforce 1
chcon -t unconfined_t /tmp/bah
chcon: failed to change context of ‘/tmp/bah’ to
‘staff_u:object_r:unconfined_t:s0’: Permission denied

Which is what should happen.
With an avc that looks like.
time->Wed Jul 10 12:46:07 2013
type=PATH msg=audit(1373474767.322:9421): item=0 name="/tmp/bah" inode=415267
dev=00:1e mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1373474767.322:9421):  cwd="/root"
type=SYSCALL msg=audit(1373474767.322:9421): arch=c000003e syscall=188
success=no exit=-13 a0=155d0e0 a1=323fc183be a2=155e610 a3=21 items=1
ppid=28478 pid=28502 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 ses=16 tty=pts0 comm="chcon" exe="/usr/bin/chcon"
subj=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1373474767.322:9421): avc:  denied  { relabelto } for
pid=28502 comm="chcon" name="bah" dev="tmpfs" ino=415267
scontext=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:unconfined_t:s0 tclass=dir

Saying you are not allowed to relabel to unconfined_t.


> Results in:
> 
> chcon: failed to change context of `/tmp/bah/' to 
> `unconfined_u:object_r:tmp_t:s0': Permission denied
> 
> Audit2allow is suggesting "allow unconfined_t self:dir relabelfrom;"  but
> I don't want to apply that because it seems that would allow all
> unconfined files/processes to relabel themselves, is that correct?
> 
> Thanks for any tips.
> 
> Eric
> 
> 
> Notice of Confidentiality: The information transmitted is intended only for
> the person or entity to which it is addressed and may contain confidential
> and/or privileged material. Any review, re-transmission, dissemination or
> other use of or taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited. If you
> received this in error please contact the sender immediately by return
> electronic transmission and then immediately delete this transmission
> including all attachments without copying, distributing or disclosing the
> same.
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHdkAYACgkQrlYvE4MpobO7cACgotjGCKxPGfGhB0lqW8eC1Cfb
LFIAoKQrU0fWqnzeDVUjlVCXkTD3/2M+
=EkZU
-----END PGP SIGNATURE-----

More information about the selinux mailing list