FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-14-2008, 11:11 PM
"Clarkson, Mike R (US SSA)"
 
Default polyinstantiation of the /tmp dir

I'm having a problem setting up polyinstantiation for the /tmp dir. I'm
using RHEL5.1 and I've set it up to create instance directories under
the /tmp-inst directory based on level when using newrole. It works, but
the instance directory has ownership/permissions (dac permissions) set
so that the user can not write to the polyinstantiated directory

#ls -l /tmp-inst/
total 24
drwxr-xr-x 2 root root 4096 May 14 20:17
system_ubject_r:tmp_t:s0-s4:c0.c255_clarkson
drwxr-xr-x 2 root root 4096 May 14 18:40
system_ubject_r:tmp_t:s4:c0.c255_clarkson

Either the directories need to be created with the user as the owner
(clarkson in this case), or the permissions need to be 777.

I've set this up before on other boxes and had it work. Not sure what
the difference is now. Any ideas?


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-15-2008, 01:37 AM
max
 
Default polyinstantiation of the /tmp dir

Clarkson, Mike R (US SSA) wrote:



-----Original Message-----
From: max [mailto:maximilianbianco@gmail.com]
Sent: Wednesday, May 14, 2008 5:26 PM
To: Clarkson, Mike R (US SSA)
Subject: Re: polyinstantiation of the /tmp dir

Clarkson, Mike R (US SSA) wrote:

I'm having a problem setting up polyinstantiation for the /tmp dir.

I'm

using RHEL5.1 and I've set it up to create instance directories

under

the /tmp-inst directory based on level when using newrole. It works,

but

the instance directory has ownership/permissions (dac permissions)

set

so that the user can not write to the polyinstantiated directory

#ls -l /tmp-inst/
total 24
drwxr-xr-x 2 root root 4096 May 14 20:17
system_ubject_r:tmp_t:s0-s4:c0.c255_clarkson
drwxr-xr-x 2 root root 4096 May 14 18:40
system_ubject_r:tmp_t:s4:c0.c255_clarkson


This may not matter at all but the mls field : s0-s4 seems to differ


They differ because I did two different newroles, once to the
s0-s4:c0.c255 level and another time to the s4:c0.c255 level. The
directories are polyinstantiated based on both the user, and the users
security context.


there between the two entries.

Either the directories need to be created with the user as the owner
(clarkson in this case), or the permissions need to be 777.


Also remember that Fedora, I don't know about RHEL 5.1, gives each

user

their own private group which by default includes no one else. Also

the

above seems to indicate that root owns the files, so yes i think
clarkson should be the owner, since regular users cannot read files
owned by root and are not normally in root's group either. If you see
some flaw, obvious or otherwise, in my logic then I'd appreciate a
scathing reply as I am trying to learn something here and I sincerely
appreciate being corrected.


I agree with the problem. I'm just not sure what the solution is.


Max


Thanks for clearing up that bit about the new roles. i would think
changing the ownership would do the trick, unless there are other
implications here because of the security context that i am not getting,
your proposal of 777 on the directory seems to make sense but I was
under the impression that writing files to /tmp was not an ideal
solution, maybe change ownership to clarkson would be better or just
creating the directory in /home/clarkson but again I am unclear as to
all the implications. Anyway it would seem chmod should solve your
problem by using it to give write perms to clarkson. I did find these,
though i haven't had the time to review them in detail :


http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/

http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html



Thanks for the response, Hope the links help.

Max

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 09:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org