Linux Archive - file contexts change on reboot

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - file contexts change on reboot (http://www.linux-archive.org/fedora-selinux-support/142513-file-contexts-change-reboot.html)

"Johnson, Richard"

08-13-2008 07:06 PM

file contexts change on reboot

I'm not sure, but I think I'm hitting a precedence issue which is
causing files to be relabeled on boot. The symptom is:

root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
root@lstlinux57 13:32:28 ~> ls -lZ
/var/opt/ft/log/libft_sra_alarm_server.log
-rw------- root root system_u:object_r:lsb-ft-asn_rw_t
/var/opt/ft/log/libft_sra_alarm_server.log
root@lstlinux57 13:32:36 ~> init 6
root@lstlinux57 13:32:40 ~> logout

Connection to 134.111.82.122 closed.
bash-3.1$ ssh 134.111.82.122 -l root
root@134.111.82.122's password:
Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
root@lstlinux57 13:39:22 ~> ls -lZ
/var/opt/ft/log/libft_sra_alarm_server.log
-rw------- root root system_u:object_r:var_log_t
/var/opt/ft/log/libft_sra_alarm_server.log
root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
root@lstlinux57 13:39:45 ~> ls -lZ
/var/opt/ft/log/libft_sra_alarm_server.log
-rw------- root root system_u:object_r:lsb-ft-asn_rw_t
/var/opt/ft/log/libft_sra_alarm_server.log

The situation is a standard RHEL5.2 with all errata applied; plus the
following modifications

I have a local policy modification introduced by one rpm:

/usr/sbin/semanage fcontext -a -t var_log_t -s system_u
'/var/opt/ft/log'

And a separate policy module containing:

/var/opt/ft/log/libft_.* --
gen_context(system_u:object_r:lsb-ft-asn_rw_t,s0)

The net result is:

root@lstlinux57 14:56:56 ~> semanage fcontext -l | grep '/opt/ft'

/var/opt/ft/asn(/.*)? all files
system_u:object_r:lsb-ft-asn_rw_t:s0
/var/opt/ft/log/libft_.* regular file
system_u:object_r:lsb-ft-asn_rw_t:s0
/opt/ft/sbin/sra_alarm regular file
system_u:object_r:lsb-ft-asn_exec_t:s0
/etc/opt/ft/asn/sra_ppp/ASN_CallHome regular file
system_u:object_r:lsb-ft-asn_script_t:s0
/etc/opt/ft/asn/sra_ppp/SetUPCallHome regular file
system_u:object_r:lsb-ft-asn_script_t:s0
/var/opt/ft/log all files
system_u:object_r:var_log_t:s0
/var/opt/ft/log/snmpd.log all files
system_u:object_r:snmpd_log_t:s0

I suspect that the problem lies with the ordering of those
'/var/opt/ft/log' lines. Am I on the right track? How can I sort
things out?

Thx,
--rich

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh

08-13-2008 07:15 PM

file contexts change on reboot

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnson, Richard wrote:
> I'm not sure, but I think I'm hitting a precedence issue which is
> causing files to be relabeled on boot. The symptom is:
>
> root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
> root@lstlinux57 13:32:28 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root@lstlinux57 13:32:36 ~> init 6
> root@lstlinux57 13:32:40 ~> logout
>
> Connection to 134.111.82.122 closed.
> bash-3.1$ ssh 134.111.82.122 -l root
> root@134.111.82.122's password:
> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
> root@lstlinux57 13:39:22 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:var_log_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
> root@lstlinux57 13:39:45 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
>
>
> The situation is a standard RHEL5.2 with all errata applied; plus the
> following modifications
>
> I have a local policy modification introduced by one rpm:
>
> /usr/sbin/semanage fcontext -a -t var_log_t -s system_u
> '/var/opt/ft/log'
>
> And a separate policy module containing:
>
> /var/opt/ft/log/libft_.* --
> gen_context(system_u:object_r:lsb-ft-asn_rw_t,s0)
>
> The net result is:
>
> root@lstlinux57 14:56:56 ~> semanage fcontext -l | grep '/opt/ft'
>
> /var/opt/ft/asn(/.*)? all files
> system_u:object_r:lsb-ft-asn_rw_t:s0
> /var/opt/ft/log/libft_.* regular file
> system_u:object_r:lsb-ft-asn_rw_t:s0
> /opt/ft/sbin/sra_alarm regular file
> system_u:object_r:lsb-ft-asn_exec_t:s0
> /etc/opt/ft/asn/sra_ppp/ASN_CallHome regular file
> system_u:object_r:lsb-ft-asn_script_t:s0
> /etc/opt/ft/asn/sra_ppp/SetUPCallHome regular file
> system_u:object_r:lsb-ft-asn_script_t:s0
> /var/opt/ft/log all files
> system_u:object_r:var_log_t:s0
> /var/opt/ft/log/snmpd.log all files
> system_u:object_r:snmpd_log_t:s0
>
> I suspect that the problem lies with the ordering of those
> '/var/opt/ft/log' lines. Am I on the right track? How can I sort
> things out?
>
> Thx,
> --rich
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The file libft_sra_alarm_server.log is being created on boot probably by
an init script or by the executable. Since the parent directory is
labeled var_log_t it gets that context. If you run restorecon the
context will get set correctly.

If all the files in this directory are supposed to be
system_u:object_r:lsb-ft-asn_rw_t:s0

Then you should label

/usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
'/var/opt/ft/log(/.*)'

If you need other files in that directory labeled differently you might
want to move your log files to a subdir and label that one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkijMt0ACgkQrlYvE4MpobMcywCcCoNfb+yGut LnFOdB697NfK2q
gMwAn1AudcCj4ORA8acEa3NsM0Yj4KHd
=+wXT
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Johnson, Richard"

08-13-2008 07:53 PM

file contexts change on reboot

Daniel J Walsh wrote:
>Johnson, Richard wrote:
>> I'm not sure, but I think I'm hitting a precedence issue which is
>> causing files to be relabeled on boot. The symptom is:
>>
>> root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
>> root@lstlinux57 13:32:28 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root@lstlinux57 13:32:36 ~> init 6
>> root@lstlinux57 13:32:40 ~> logout
>>
>> Connection to 134.111.82.122 closed.
>> bash-3.1$ ssh 134.111.82.122 -l root
>> root@134.111.82.122's password:
>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
>> root@lstlinux57 13:39:22 ~> ls -l
>>/var/opt/ft/log/libft_sra_alarm_server.log
>> -rw------- root root system_u:object_r:var_log_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
>> root@lstlinux57 13:39:45 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>>
>>
>> The situation is a standard RHEL5.2 with all errata applied; plus the
[...snip for brevity...]
>
>The file libft_sra_alarm_server.log is being created on boot probably
by
>an init script or by the executable. Since the parent directory is
>labeled var_log_t it gets that context. If you run restorecon the
>context will get set correctly.
>
>If all the files in this directory are supposed to be
>system_u:object_r:lsb-ft-asn_rw_t:s0
>
>Then you should label
>
> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
>'/var/opt/ft/log(/.*)'
>
>If you need other files in that directory labeled differently you might
>want to move your log files to a subdir and label that one.

Yes this log (among others) is created by a daemon started from an init
script. I will investigate moving the logs to a sub-dir. But for
historical and support reasons I'd prefer to leave them where they are.
Is there a way for the daemon to create the files with the appropriate
label from the get-go?

--rich

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh

08-13-2008 08:11 PM

file contexts change on reboot

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnson, Richard wrote:
>
> Daniel J Walsh wrote:
>> Johnson, Richard wrote:
>>> I'm not sure, but I think I'm hitting a precedence issue which is
>>> causing files to be relabeled on boot. The symptom is:
>>>
>>> root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
>>> root@lstlinux57 13:32:28 ~> ls -lZ
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> root@lstlinux57 13:32:36 ~> init 6
>>> root@lstlinux57 13:32:40 ~> logout
>>>
>>> Connection to 134.111.82.122 closed.
>>> bash-3.1$ ssh 134.111.82.122 -l root
>>> root@134.111.82.122's password:
>>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
>>> root@lstlinux57 13:39:22 ~> ls -l
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:var_log_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
>>> root@lstlinux57 13:39:45 ~> ls -lZ
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>>
>>>
>>> The situation is a standard RHEL5.2 with all errata applied; plus the
> [...snip for brevity...]
>> The file libft_sra_alarm_server.log is being created on boot probably
> by
>> an init script or by the executable. Since the parent directory is
>> labeled var_log_t it gets that context. If you run restorecon the
>> context will get set correctly.
>>
>> If all the files in this directory are supposed to be
>> system_u:object_r:lsb-ft-asn_rw_t:s0
>>
>> Then you should label
>>
>> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
>> '/var/opt/ft/log(/.*)'
>>
>> If you need other files in that directory labeled differently you might
>> want to move your log files to a subdir and label that one.
>
>
> Yes this log (among others) is created by a daemon started from an init
> script. I will investigate moving the logs to a sub-dir. But for
> historical and support reasons I'd prefer to leave them where they are.
> Is there a way for the daemon to create the files with the appropriate
> label from the get-go?
>
> --rich
Yes, you have three choices.

1. Write a policy for this daemon so that when it created files in
directories labeled var_log_t, it transitions to the correct context

2. You could have the script create the log file and run restorecon on
it and then have your program open and write to it.

3. You could make your application SELinux aware and ask the system how
the log file should be labeled and then call the selinux api to tell the
kernel to label it correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkijP98ACgkQrlYvE4MpobNrTwCgmczJF2zoLn 8GsvV0/2CUld67
GyEAmgPcBAXVKaKJcO4+zU6yodH5V9A6
=4BN7
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Johnson, Richard"

08-13-2008 08:35 PM

file contexts change on reboot

Daniel J Walsh wrote:
> Johnson, Richard wrote:
>> Daniel J Walsh wrote:
>>> The file libft_sra_alarm_server.log is being created on boot
probably
> by
>>> an init script or by the executable. Since the parent directory is
>>> labeled var_log_t it gets that context. If you run restorecon the
>> context will get set correctly.
>>>
>>> If all the files in this directory are supposed to be
>>> system_u:object_r:lsb-ft-asn_rw_t:s0
>>>
>>> Then you should label
>>>
>>> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
>>> '/var/opt/ft/log(/.*)'
>>>
>>> If you need other files in that directory labeled differently you
might
>>> want to move your log files to a subdir and label that one.
>>
>>
>> Yes this log (among others) is created by a daemon started from an
init
>> script. I will investigate moving the logs to a sub-dir. But for
>> historical and support reasons I'd prefer to leave them where they
are.
>> Is there a way for the daemon to create the files with the
appropriate
>> label from the get-go?
>>
>>1. Write a policy for this daemon so that when it created files in
>>directories labeled var_log_t, it transitions to the correct context

Ah. I'm halfway down this road with a a candidate policy--which might
be how I got into this mess. But being new at it, I guess it's par for
the course. Back to the books and other docs...this time focusing on
transitions.

>>2. You could have the script create the log file and run restorecon on
>>it and then have your program open and write to it.
>>
>>3. You could make your application SELinux aware and ask the system
how
>>the log file should be labeled and then call the selinux api to tell
the
>>kernel to label it correctly.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

All times are GMT. The time now is 06:36 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.