Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   restorecond not expanding ~ (http://www.linux-archive.org/fedora-selinux-support/1611-restorecond-not-expanding.html)

Forrest Taylor 11-20-2007 07:50 PM

restorecond not expanding ~
 
I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond
is not properly expanding the ~ or other wildcards
in /etc/selinux/restorecond.conf. By default, restorecond.conf
includes:
~/public_html

However, if I create that directory as a normal user, it gets the
standard context (user_home_t). If I explicitly put the full path
(e.g., /home/student/public_html), it works as expected.

Does (or will) restorecond support wildcards/regex?

Thanks,

Forrest
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Ulrich Drepper 11-20-2007 07:58 PM

restorecond not expanding ~
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forrest Taylor wrote:
> I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond
> is not properly expanding the ~ or other wildcards
> in /etc/selinux/restorecond.conf. By default, restorecond.conf
> includes:
> ~/public_html

And how would you want to expand ~ ? This is a context-sensitive value.
restorecond runs as root so ~/foo is /root/foo? You cannot expect the
program to pull down the list of all accounts and expand ~/foo for all
user accounts.

There might be a case for supporting * but I think the files which have
to be handled through restorecond should remain small, so this isn't
really that important.

- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHQ0qQ2ijCOnn/RHQRAunDAKCp5hPd6zTCBlzWBD3mAbK+2HPhPwCcCkw+
b7IHoqwPTKKQ1/MucGrNIFA=
=74MW
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 11-20-2007 08:10 PM

restorecond not expanding ~
 
On Tue, 2007-11-20 at 13:50 -0700, Forrest Taylor wrote:
> I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond
> is not properly expanding the ~ or other wildcards
> in /etc/selinux/restorecond.conf. By default, restorecond.conf
> includes:
> ~/public_html
>
> However, if I create that directory as a normal user, it gets the
> standard context (user_home_t). If I explicitly put the full path
> (e.g., /home/student/public_html), it works as expected.
>
> Does (or will) restorecond support wildcards/regex?

Wildcards/regex, no. Tilde should be expanded to user home directories
for users presently logged in to the system (based on utmp).

Try running it with -d -v.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 11-20-2007 08:55 PM

restorecond not expanding ~
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Tue, 2007-11-20 at 13:50 -0700, Forrest Taylor wrote:
>> I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond
>> is not properly expanding the ~ or other wildcards
>> in /etc/selinux/restorecond.conf. By default, restorecond.conf
>> includes:
>> ~/public_html
>>
>> However, if I create that directory as a normal user, it gets the
>> standard context (user_home_t). If I explicitly put the full path
>> (e.g., /home/student/public_html), it works as expected.
>>
>> Does (or will) restorecond support wildcards/regex?
>
> Wildcards/regex, no. Tilde should be expanded to user home directories
> for users presently logged in to the system (based on utmp).
>
> Try running it with -d -v.
>
I haven't checked for a while. But yes it is supposed to check ~/FILE

It does this by watching the utmp file, for users logging in and then
adds the homedir to its list of directories to watch.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQ1fdrlYvE4MpobMRAjm8AJ9ErZlpxIAqW67Ku8Bl7v QhSVApGgCgxjH2
tfuLTFhi9zoISehWc4XcvU8=
=OZba
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 01:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.