Creating home directories with wrong context

Daniel J Walsh dwalsh at redhat.com
Thu Feb 5 07:53:18 UTC 2015 

On 01/29/2015 01:19 AM, Jayson Hurst wrote:
> This is what seems to trigger the home dir creation issue for me:
>
> # touch /.autorelabel
> # reboot
>  
> Then ssh into the box as a new user.
>  
> Declaring  userdom_home_filetrans_user_home_dir(vasd_t) in the vasd.te
> file doesn't change the behavior. The user home dirs are still created
> with a security context of home_root_t.
>
> A restart of the vasd daemon fixes the issue.  Any suggestions on
> how/why a restart of the daemon fixed it?
Most likey vasd was not running with the correct domain.

ps -eZ | grep vasd
to make sure it is running as vasd_t.


>  
> ------------------------------------------------------------------------
> From: swazup at hotmail.com
> To: dwalsh at redhat.com; selinux at lists.fedoraproject.org
> Subject: RE: Creating home directories with wrong context
> Date: Tue, 27 Jan 2015 14:00:28 -0700
>
> So should I open a bug for this?
>  
> ------------------------------------------------------------------------
> Date: Wed, 14 Jan 2015 10:49:56 -0500
> From: dwalsh at redhat.com
> To: swazup at hotmail.com; selinux at lists.fedoraproject.org
> Subject: Re: Creating home directories with wrong context
>
> Is it in an optional block?  Could you send me your policy?
>
>
> On 01/12/2015 11:48 AM, Jayson Hurst wrote:
>
>     I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin
>     method in the vasd.if file.  vasd.te calls vasd_admin(vasd_t). 
>      
>     $ sesearch -T -s vasd_t -t home_root_t -c file 
>      
>     $
>      
>     The command above returns a blank line.
>      
>     Could I there be a conflicting rule that might be causing me
>     problems.  Where do I look to figure out why this no longer works?
>      
>     ------------------------------------------------------------------------
>     Date: Sat, 10 Jan 2015 07:03:17 -0500
>     From: dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>     To: swazup at hotmail.com <mailto:swazup at hotmail.com>;
>     selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>
>     Subject: Re: Creating home directories with wrong context
>
>
>     On 01/08/2015 09:22 PM, Jayson Hurst wrote:
>
>         I am trying to figure out why a policy that was written on
>         RHEL 6.0 doesn't work the same on RHEL 6.5.
>
>         I have a policy whose domain is vasd_t
>          
>         I am using the userdomain.if interface call which is supposed
>         to give the domain access to create directories in the home
>         dir root with the user home directory type.
>           userdom_home_filetrans_user_home_dir(vasd_t)
>
>         Which calls:
>           files_home_filetrans($1, user_home_dir_t, dir)
>         Which calls:
>           filetrans_pattern($1, home_root_t, $2, $3)
>          
>         Which is defined as:
>                 allow $1 $2:dir rw_dir_perms;
>                 type_transition $1 $2:$4 $3;
>          
>         I would expect this to allow me to create a new directory in
>         /home which is of type home_root_t, but what I am seeing is
>         that the new homedir is being created with the type of
>         home_root_t and not user_home_dir_t as expected.
>          
>         I have also tried not calling the interface methods and
>         defining it by hand as:
>          
>         allow vasd_t home_root_t:dir rw_dir_perms;
>         type_transition vasd_t home_root_t:dir user_home_dir_t;
>
>         I have also tried calling userdom_create_user_home_dirs(vasd_t)
>          
>         sesearch shows:
>          
>         $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep
>         home_root_t
>            allow vasd_t home_root_t : dir { ioctl read write getattr
>         lock add_name remove_name search open } ;
>          
>         The way the daemon works that is associated to the vasd_t
>         domain is that it calls a script that does the actual creation
>         of the homedir. I believe the problem lies in this fact that
>         perhaps the script isn't being invoked in a way to give it
>         proper creation rights.
>          
>         Like I said this use to work in RHEL 6.0 but now I cannot seem
>         to get it to work in 6.5. Any  help would be appreciated. I
>         don't know what I am missing here.
>
>
>         --
>         selinux mailing list
>         selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>         https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>     You should only need.
>     userdom_home_filetrans_user_home_dir(vasd_t)
>
>     You need to look at your transition rules.
>
>     sesearch -T -s vasd_t -t home_root_t -c file
>
>
>
>
>     --
>     selinux mailing list
>     selinux at lists.fedoraproject.org <mailto:selinux at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150205/5bef13c1/attachment.html>

More information about the selinux mailing list