Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Creating files from initrc_t (http://www.linux-archive.org/fedora-selinux-support/624255-creating-files-initrc_t.html)

Moray Henderson 01-23-2012 02:57 PM

Creating files from initrc_t
 
Hi

On CentOS 5.6, I have just noticed that if a process running under context
initrc_t creates a file or directory within a user's home directory, that
object gets user_home_dir_t.

If an unconfined_t process does the same thing, they correctly get
user_home_t.

Was this a bug or a feature?

selinux-policy-2.4.6-300.el5_6.1
selinux-policy-targeted-2.4.6-300.el5_6.1


Moray.
"To err is human; to purr, feline."




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 01-23-2012 03:19 PM

Creating files from initrc_t
 
On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> Hi
>
> On CentOS 5.6, I have just noticed that if a process running under context
> initrc_t creates a file or directory within a user's home directory, that
> object gets user_home_dir_t.
>
> If an unconfined_t process does the same thing, they correctly get
> user_home_t.
>
> Was this a bug or a feature?
>
> selinux-policy-2.4.6-300.el5_6.1
> selinux-policy-targeted-2.4.6-300.el5_6.1
>
>
> Moray.
> "To err is human; to purr, feline."

I guess that depends on how you look at it but compared to recent fedora
policy i guess you could consider this to be a bug.

This is supported in Fedora 16:

# sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
type_transition initrc_t user_home_dir_t : file user_home_t;
type_transition initrc_t user_home_dir_t : dir user_home_t;
type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
type_transition initrc_t user_home_dir_t : sock_file user_home_t;
type_transition initrc_t user_home_dir_t : fifo_file user_home_t;


>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 01-23-2012 03:33 PM

Creating files from initrc_t
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2012 11:19 AM, Dominick Grift wrote:
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>>
>> On CentOS 5.6, I have just noticed that if a process running
>> under context initrc_t creates a file or directory within a
>> user's home directory, that object gets user_home_dir_t.
>>
>> If an unconfined_t process does the same thing, they correctly
>> get user_home_t.
>>
>> Was this a bug or a feature?
>>
>> selinux-policy-2.4.6-300.el5_6.1
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>
>>
>> Moray. "To err is human; to purr, feline."
>
> I guess that depends on how you look at it but compared to recent
> fedora policy i guess you could consider this to be a bug.
>
> This is supported in Fedora 16:
>
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t type_transition initrc_t user_home_dir_t : file
> user_home_t; type_transition initrc_t user_home_dir_t : dir
> user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
>
>
>>
>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain. Therefor it should create content
in the users homedir with as close to the "right" context as possible.
Not sure what process you have running as initrc_t that is creating
content in the users homedir. user_home_dir_t should only be the
label of the top level directory of a users homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8di98ACgkQrlYvE4MpobO8CgCgroBW2j0VHl PRR1TzbIZS+zbm
6/cAnAsVW5BIsJU1KcqXYi+Iu7DwDoMH
=p58K
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Trevor Hemsley 01-23-2012 03:40 PM

Creating files from initrc_t
 
Daniel J Walsh wrote:

On 01/23/2012 11:19 AM, Dominick Grift wrote:
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>>
>> On CentOS 5.6, I have just noticed that if a process running
>> under context initrc_t creates a file or directory within a
>> user's home directory, that object gets user_home_dir_t.
>>
>> If an unconfined_t process does the same thing, they correctly
>> get user_home_t.
>>
>> Was this a bug or a feature?
>>
>> selinux-policy-2.4.6-300.el5_6.1
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>>
>>
>> Moray. "To err is human; to purr, feline."
> I guess that depends on how you look at it but compared to recent
> fedora policy i guess you could consider this to be a bug.

> This is supported in Fedora 16:

> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t type_transition initrc_t user_home_dir_t : file
> user_home_t; type_transition initrc_t user_home_dir_t : dir
> user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;


>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux

> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain. Therefor it should create content
in the users homedir with as close to the "right" context as possible.
Not sure what process you have running as initrc_t that is creating
content in the users homedir. user_home_dir_t should only be the
label of the top level directory of a users homedir.
I reported a similar problem on 19/02/2011 with a mail
"recently-used.xbel wrong context". I hadn't managed to narrow it down
to files created by initrc_t processes.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Moray Henderson 01-23-2012 03:48 PM

Creating files from initrc_t
 
> From: Dominick Grift
> Sent: 23 January 2012 16:20
>
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> > Hi
> >
> > On CentOS 5.6, I have just noticed that if a process running under
> context
> > initrc_t creates a file or directory within a user's home directory,
> that
> > object gets user_home_dir_t.
> >
> > If an unconfined_t process does the same thing, they correctly get
> > user_home_t.
> >
> > Was this a bug or a feature?
> >
> > selinux-policy-2.4.6-300.el5_6.1
> > selinux-policy-targeted-2.4.6-300.el5_6.1
> >
> >
> > Moray.
> > "To err is human; to purr, feline."
>
> I guess that depends on how you look at it but compared to recent
> fedora
> policy i guess you could consider this to be a bug.
>
> This is supported in Fedora 16:
>
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
> type_transition initrc_t user_home_dir_t : file user_home_t;
> type_transition initrc_t user_home_dir_t : dir user_home_t;
> type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
> type_transition initrc_t user_home_dir_t : sock_file user_home_t;
> type_transition initrc_t user_home_dir_t : fifo_file user_home_t;
>

Thanks Dominick. I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6.


Moray.
“To err is human; to purr, feline.”

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Moray Henderson 01-23-2012 04:08 PM

Creating files from initrc_t
 
> From: Trevor Hemsley
> Sent: 23 January 2012 16:40
> Daniel J Walsh wrote:
> > On 01/23/2012 11:19 AM, Dominick Grift wrote:
> > > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> > >> Hi
> > >>
> > >> On CentOS 5.6, I have just noticed that if a process running
> > >> under context initrc_t creates a file or directory within a
> > >> user's home directory, that object gets user_home_dir_t.
> > >>
> > >> If an unconfined_t process does the same thing, they correctly
> > >> get user_home_t.
> > >>
> > >> Was this a bug or a feature?
> > >>
> > >> selinux-policy-2.4.6-300.el5_6.1
> > >> selinux-policy-targeted-2.4.6-300.el5_6.1
> > >>
> > >>
> > >> Moray. "To err is human; to purr, feline."
> > > I guess that depends on how you look at it but compared to recent
> > > fedora policy i guess you could consider this to be a bug.
> >
> > > This is supported in Fedora 16:
> >
> > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> > > user_home_t type_transition initrc_t user_home_dir_t : file
> > > user_home_t; type_transition initrc_t user_home_dir_t : dir
> > > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> > > user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> > > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> > > user_home_t;
> >
> > Yes I would say it is a bug, since the goal of initrc_t is to work
> > properly as an unconfined domain. Therefor it should create content
> > in the users homedir with as close to the "right" context as
> possible.
> > Not sure what process you have running as initrc_t that is creating
> > content in the users homedir. user_home_dir_t should only be the
> > label of the top level directory of a users homedir.
> I reported a similar problem on 19/02/2011 with a mail
> "recently-used.xbel wrong context". I hadn't managed to narrow it down
> to files created by initrc_t processes.

I'd forgotten the sesearch(1) command (haven't been in SELinux for a while). When I saw that my custom daemon was running in initrc_t, I used "runcon -t initrc_t bash" (had to look that one up too) to give myself an initrc_t shell to try things out and compare to my normal unconfined_t shell.


Moray.
“To err is human; to purr, feline.”




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Moray Henderson 01-24-2012 03:17 PM

Creating files from initrc_t
 
> From: Miroslav Grepl [mailto:mgrepl@redhat.com]
> Sent: 24 January 2012 17:50
> To: selinux@lists.fedoraproject.org
> Cc: Moray Henderson (ICT)
> Subject: Re: Creating files from initrc_t
>
> On 01/23/2012 04:48 PM, Moray Henderson wrote:
> >> From: Dominick Grift
> >> Sent: 23 January 2012 16:20
> >>
> >> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> >>> Hi
> >>>
> >>> On CentOS 5.6, I have just noticed that if a process running under
> >> context
> >>> initrc_t creates a file or directory within a user's home
> directory,
> >> that
> >>> object gets user_home_dir_t.
> >>>
> >>> If an unconfined_t process does the same thing, they correctly get
> >>> user_home_t.
> >>>
> >>> Was this a bug or a feature?
> >>>
> >>> selinux-policy-2.4.6-300.el5_6.1
> >>> selinux-policy-targeted-2.4.6-300.el5_6.1
> >>>
> >>>
> >>> Moray.
> >>> "To err is human; to purr, feline."
> >> I guess that depends on how you look at it but compared to recent
> >> fedora
> >> policy i guess you could consider this to be a bug.
> >>
> >> This is supported in Fedora 16:
> >>
> >> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t
> >> type_transition initrc_t user_home_dir_t : file user_home_t;
> >> type_transition initrc_t user_home_dir_t : dir user_home_t;
> >> type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
> >> type_transition initrc_t user_home_dir_t : sock_file
> user_home_t;
> >> type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
> >>
> > Thanks Dominick. I may still just work around it with restorecon for
> now, but if necessary add those transitions to custom policy when I
> upgrade to CentOS 6.
> What kind is your application which is running as initrc_t? Maybe we
> could also try to find a proper domain for this apps.

It's an in-house-written daemon that allows some level of remote administration for our servers. It can receive a request to create a user, and to create an application configuration file in their home directory. We can also ask it to report on the server's disk usage and various configuration and log files. It was the application configuration file part that was running into trouble; everything else works perfectly*.

We did look at other remote administration systems that are out there, such as Webmin, but they either offered too much or too little for our needs.


Moray.
“To err is human; to purr, feline.”

* "any human thing supposed to be complete, must for that very reason infallibly be faulty."
- Herman Melville, Moby-Dick



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 01-24-2012 04:49 PM

Creating files from initrc_t
 
On 01/23/2012 04:48 PM, Moray Henderson wrote:

From: Dominick Grift
Sent: 23 January 2012 16:20

On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:

Hi

On CentOS 5.6, I have just noticed that if a process running under

context

initrc_t creates a file or directory within a user's home directory,

that

object gets user_home_dir_t.

If an unconfined_t process does the same thing, they correctly get
user_home_t.

Was this a bug or a feature?

selinux-policy-2.4.6-300.el5_6.1
selinux-policy-targeted-2.4.6-300.el5_6.1


Moray.
"To err is human; to purr, feline."

I guess that depends on how you look at it but compared to recent
fedora
policy i guess you could consider this to be a bug.

This is supported in Fedora 16:

# sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t
type_transition initrc_t user_home_dir_t : file user_home_t;
type_transition initrc_t user_home_dir_t : dir user_home_t;
type_transition initrc_t user_home_dir_t : lnk_file user_home_t;
type_transition initrc_t user_home_dir_t : sock_file user_home_t;
type_transition initrc_t user_home_dir_t : fifo_file user_home_t;


Thanks Dominick. I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6.
What kind is your application which is running as initrc_t? Maybe we
could also try to find a proper domain for this apps.


Moray.
“To err is human; to purr, feline.”

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 08:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.