Creating files from initrc_t
Hi
On CentOS 5.6, I have just noticed that if a process running under context initrc_t creates a file or directory within a user's home directory, that object gets user_home_dir_t. If an unconfined_t process does the same thing, they correctly get user_home_t. Was this a bug or a feature? selinux-policy-2.4.6-300.el5_6.1 selinux-policy-targeted-2.4.6-300.el5_6.1 Moray. "To err is human; to purr, feline." -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
> Hi > > On CentOS 5.6, I have just noticed that if a process running under context > initrc_t creates a file or directory within a user's home directory, that > object gets user_home_dir_t. > > If an unconfined_t process does the same thing, they correctly get > user_home_t. > > Was this a bug or a feature? > > selinux-policy-2.4.6-300.el5_6.1 > selinux-policy-targeted-2.4.6-300.el5_6.1 > > > Moray. > "To err is human; to purr, feline." I guess that depends on how you look at it but compared to recent fedora policy i guess you could consider this to be a bug. This is supported in Fedora 16: # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t type_transition initrc_t user_home_dir_t : file user_home_t; type_transition initrc_t user_home_dir_t : dir user_home_t; type_transition initrc_t user_home_dir_t : lnk_file user_home_t; type_transition initrc_t user_home_dir_t : sock_file user_home_t; type_transition initrc_t user_home_dir_t : fifo_file user_home_t; > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 01/23/2012 11:19 AM, Dominick Grift wrote: > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: >> Hi >> >> On CentOS 5.6, I have just noticed that if a process running >> under context initrc_t creates a file or directory within a >> user's home directory, that object gets user_home_dir_t. >> >> If an unconfined_t process does the same thing, they correctly >> get user_home_t. >> >> Was this a bug or a feature? >> >> selinux-policy-2.4.6-300.el5_6.1 >> selinux-policy-targeted-2.4.6-300.el5_6.1 >> >> >> Moray. "To err is human; to purr, feline." > > I guess that depends on how you look at it but compared to recent > fedora policy i guess you could consider this to be a bug. > > This is supported in Fedora 16: > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep > user_home_t type_transition initrc_t user_home_dir_t : file > user_home_t; type_transition initrc_t user_home_dir_t : dir > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file > user_home_t; type_transition initrc_t user_home_dir_t : sock_file > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file > user_home_t; > > >> >> >> >> -- selinux mailing list selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Yes I would say it is a bug, since the goal of initrc_t is to work properly as an unconfined domain. Therefor it should create content in the users homedir with as close to the "right" context as possible. Not sure what process you have running as initrc_t that is creating content in the users homedir. user_home_dir_t should only be the label of the top level directory of a users homedir. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8di98ACgkQrlYvE4MpobO8CgCgroBW2j0VHl PRR1TzbIZS+zbm 6/cAnAsVW5BIsJU1KcqXYi+Iu7DwDoMH =p58K -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
Daniel J Walsh wrote:
On 01/23/2012 11:19 AM, Dominick Grift wrote: > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: >> Hi >> >> On CentOS 5.6, I have just noticed that if a process running >> under context initrc_t creates a file or directory within a >> user's home directory, that object gets user_home_dir_t. >> >> If an unconfined_t process does the same thing, they correctly >> get user_home_t. >> >> Was this a bug or a feature? >> >> selinux-policy-2.4.6-300.el5_6.1 >> selinux-policy-targeted-2.4.6-300.el5_6.1 >> >> >> Moray. "To err is human; to purr, feline." > I guess that depends on how you look at it but compared to recent > fedora policy i guess you could consider this to be a bug. > This is supported in Fedora 16: > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep > user_home_t type_transition initrc_t user_home_dir_t : file > user_home_t; type_transition initrc_t user_home_dir_t : dir > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file > user_home_t; type_transition initrc_t user_home_dir_t : sock_file > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file > user_home_t; >> >> >> -- selinux mailing list selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux Yes I would say it is a bug, since the goal of initrc_t is to work properly as an unconfined domain. Therefor it should create content in the users homedir with as close to the "right" context as possible. Not sure what process you have running as initrc_t that is creating content in the users homedir. user_home_dir_t should only be the label of the top level directory of a users homedir. I reported a similar problem on 19/02/2011 with a mail "recently-used.xbel wrong context". I hadn't managed to narrow it down to files created by initrc_t processes. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
> From: Dominick Grift
> Sent: 23 January 2012 16:20 > > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: > > Hi > > > > On CentOS 5.6, I have just noticed that if a process running under > context > > initrc_t creates a file or directory within a user's home directory, > that > > object gets user_home_dir_t. > > > > If an unconfined_t process does the same thing, they correctly get > > user_home_t. > > > > Was this a bug or a feature? > > > > selinux-policy-2.4.6-300.el5_6.1 > > selinux-policy-targeted-2.4.6-300.el5_6.1 > > > > > > Moray. > > "To err is human; to purr, feline." > > I guess that depends on how you look at it but compared to recent > fedora > policy i guess you could consider this to be a bug. > > This is supported in Fedora 16: > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t > type_transition initrc_t user_home_dir_t : file user_home_t; > type_transition initrc_t user_home_dir_t : dir user_home_t; > type_transition initrc_t user_home_dir_t : lnk_file user_home_t; > type_transition initrc_t user_home_dir_t : sock_file user_home_t; > type_transition initrc_t user_home_dir_t : fifo_file user_home_t; > Thanks Dominick. I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
> From: Trevor Hemsley
> Sent: 23 January 2012 16:40 > Daniel J Walsh wrote: > > On 01/23/2012 11:19 AM, Dominick Grift wrote: > > > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: > > >> Hi > > >> > > >> On CentOS 5.6, I have just noticed that if a process running > > >> under context initrc_t creates a file or directory within a > > >> user's home directory, that object gets user_home_dir_t. > > >> > > >> If an unconfined_t process does the same thing, they correctly > > >> get user_home_t. > > >> > > >> Was this a bug or a feature? > > >> > > >> selinux-policy-2.4.6-300.el5_6.1 > > >> selinux-policy-targeted-2.4.6-300.el5_6.1 > > >> > > >> > > >> Moray. "To err is human; to purr, feline." > > > I guess that depends on how you look at it but compared to recent > > > fedora policy i guess you could consider this to be a bug. > > > > > This is supported in Fedora 16: > > > > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep > > > user_home_t type_transition initrc_t user_home_dir_t : file > > > user_home_t; type_transition initrc_t user_home_dir_t : dir > > > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file > > > user_home_t; type_transition initrc_t user_home_dir_t : sock_file > > > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file > > > user_home_t; > > > > Yes I would say it is a bug, since the goal of initrc_t is to work > > properly as an unconfined domain. Therefor it should create content > > in the users homedir with as close to the "right" context as > possible. > > Not sure what process you have running as initrc_t that is creating > > content in the users homedir. user_home_dir_t should only be the > > label of the top level directory of a users homedir. > I reported a similar problem on 19/02/2011 with a mail > "recently-used.xbel wrong context". I hadn't managed to narrow it down > to files created by initrc_t processes. I'd forgotten the sesearch(1) command (haven't been in SELinux for a while). When I saw that my custom daemon was running in initrc_t, I used "runcon -t initrc_t bash" (had to look that one up too) to give myself an initrc_t shell to try things out and compare to my normal unconfined_t shell. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
> From: Miroslav Grepl [mailto:mgrepl@redhat.com]
> Sent: 24 January 2012 17:50 > To: selinux@lists.fedoraproject.org > Cc: Moray Henderson (ICT) > Subject: Re: Creating files from initrc_t > > On 01/23/2012 04:48 PM, Moray Henderson wrote: > >> From: Dominick Grift > >> Sent: 23 January 2012 16:20 > >> > >> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: > >>> Hi > >>> > >>> On CentOS 5.6, I have just noticed that if a process running under > >> context > >>> initrc_t creates a file or directory within a user's home > directory, > >> that > >>> object gets user_home_dir_t. > >>> > >>> If an unconfined_t process does the same thing, they correctly get > >>> user_home_t. > >>> > >>> Was this a bug or a feature? > >>> > >>> selinux-policy-2.4.6-300.el5_6.1 > >>> selinux-policy-targeted-2.4.6-300.el5_6.1 > >>> > >>> > >>> Moray. > >>> "To err is human; to purr, feline." > >> I guess that depends on how you look at it but compared to recent > >> fedora > >> policy i guess you could consider this to be a bug. > >> > >> This is supported in Fedora 16: > >> > >> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep > user_home_t > >> type_transition initrc_t user_home_dir_t : file user_home_t; > >> type_transition initrc_t user_home_dir_t : dir user_home_t; > >> type_transition initrc_t user_home_dir_t : lnk_file user_home_t; > >> type_transition initrc_t user_home_dir_t : sock_file > user_home_t; > >> type_transition initrc_t user_home_dir_t : fifo_file > user_home_t; > >> > > Thanks Dominick. I may still just work around it with restorecon for > now, but if necessary add those transitions to custom policy when I > upgrade to CentOS 6. > What kind is your application which is running as initrc_t? Maybe we > could also try to find a proper domain for this apps. It's an in-house-written daemon that allows some level of remote administration for our servers. It can receive a request to create a user, and to create an application configuration file in their home directory. We can also ask it to report on the server's disk usage and various configuration and log files. It was the application configuration file part that was running into trouble; everything else works perfectly*. We did look at other remote administration systems that are out there, such as Webmin, but they either offered too much or too little for our needs. Moray. “To err is human; to purr, feline.” * "any human thing supposed to be complete, must for that very reason infallibly be faulty." - Herman Melville, Moby-Dick -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Creating files from initrc_t
On 01/23/2012 04:48 PM, Moray Henderson wrote:
From: Dominick Grift Sent: 23 January 2012 16:20 On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: Hi On CentOS 5.6, I have just noticed that if a process running under context initrc_t creates a file or directory within a user's home directory, that object gets user_home_dir_t. If an unconfined_t process does the same thing, they correctly get user_home_t. Was this a bug or a feature? selinux-policy-2.4.6-300.el5_6.1 selinux-policy-targeted-2.4.6-300.el5_6.1 Moray. "To err is human; to purr, feline." I guess that depends on how you look at it but compared to recent fedora policy i guess you could consider this to be a bug. This is supported in Fedora 16: # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep user_home_t type_transition initrc_t user_home_dir_t : file user_home_t; type_transition initrc_t user_home_dir_t : dir user_home_t; type_transition initrc_t user_home_dir_t : lnk_file user_home_t; type_transition initrc_t user_home_dir_t : sock_file user_home_t; type_transition initrc_t user_home_dir_t : fifo_file user_home_t; Thanks Dominick. I may still just work around it with restorecon for now, but if necessary add those transitions to custom policy when I upgrade to CentOS 6. What kind is your application which is running as initrc_t? Maybe we could also try to find a proper domain for this apps. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 06:20 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.