[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Creating home directories with wrong context
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2015-02-05 7:53:18
Message-ID: 54D3216E.6070803 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 01/29/2015 01:19 AM, Jayson Hurst wrote:
> This is what seems to trigger the home dir creation issue for me:
>
> # touch /.autorelabel
> # reboot
>
> Then ssh into the box as a new user.
>
> Declaring userdom_home_filetrans_user_home_dir(vasd_t) in the vasd.te
> file doesn't change the behavior. The user home dirs are still created
> with a security context of home_root_t.
>
> A restart of the vasd daemon fixes the issue. Any suggestions on
> how/why a restart of the daemon fixed it?
Most likey vasd was not running with the correct domain.
ps -eZ | grep vasd
to make sure it is running as vasd_t.
>
> ------------------------------------------------------------------------
> From: swazup@hotmail.com
> To: dwalsh@redhat.com; selinux@lists.fedoraproject.org
> Subject: RE: Creating home directories with wrong context
> Date: Tue, 27 Jan 2015 14:00:28 -0700
>
> So should I open a bug for this?
>
> ------------------------------------------------------------------------
> Date: Wed, 14 Jan 2015 10:49:56 -0500
> From: dwalsh@redhat.com
> To: swazup@hotmail.com; selinux@lists.fedoraproject.org
> Subject: Re: Creating home directories with wrong context
>
> Is it in an optional block? Could you send me your policy?
>
>
> On 01/12/2015 11:48 AM, Jayson Hurst wrote:
>
> I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin
> method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
>
> $ sesearch -T -s vasd_t -t home_root_t -c file
>
> $
>
> The command above returns a blank line.
>
> Could I there be a conflicting rule that might be causing me
> problems. Where do I look to figure out why this no longer works?
>
> ------------------------------------------------------------------------
> Date: Sat, 10 Jan 2015 07:03:17 -0500
> From: dwalsh@redhat.com <mailto:dwalsh@redhat.com>
> To: swazup@hotmail.com <mailto:swazup@hotmail.com>;
> selinux@lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
> Subject: Re: Creating home directories with wrong context
>
>
> On 01/08/2015 09:22 PM, Jayson Hurst wrote:
>
> I am trying to figure out why a policy that was written on
> RHEL 6.0 doesn't work the same on RHEL 6.5.
>
> I have a policy whose domain is vasd_t
>
> I am using the userdomain.if interface call which is supposed
> to give the domain access to create directories in the home
> dir root with the user home directory type.
> userdom_home_filetrans_user_home_dir(vasd_t)
>
> Which calls:
> files_home_filetrans($1, user_home_dir_t, dir)
> Which calls:
> filetrans_pattern($1, home_root_t, $2, $3)
>
> Which is defined as:
> allow $1 $2:dir rw_dir_perms;
> type_transition $1 $2:$4 $3;
>
> I would expect this to allow me to create a new directory in
> /home which is of type home_root_t, but what I am seeing is
> that the new homedir is being created with the type of
> home_root_t and not user_home_dir_t as expected.
>
> I have also tried not calling the interface methods and
> defining it by hand as:
>
> allow vasd_t home_root_t:dir rw_dir_perms;
> type_transition vasd_t home_root_t:dir user_home_dir_t;
>
> I have also tried calling userdom_create_user_home_dirs(vasd_t)
>
> sesearch shows:
>
> $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep
> home_root_t
> allow vasd_t home_root_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>
> The way the daemon works that is associated to the vasd_t
> domain is that it calls a script that does the actual creation
> of the homedir. I believe the problem lies in this fact that
> perhaps the script isn't being invoked in a way to give it
> proper creation rights.
>
> Like I said this use to work in RHEL 6.0 but now I cannot seem
> to get it to work in 6.5. Any help would be appreciated. I
> don't know what I am missing here.
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> You should only need.
> userdom_home_filetrans_user_home_dir(vasd_t)
>
> You need to look at your transition rules.
>
> sesearch -T -s vasd_t -t home_root_t -c file
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 01/29/2015 01:19 AM, Jayson Hurst
wrote:<br>
</div>
<blockquote cite="mid:BLU181-W24BFF1F4A01EAB63CA23EED5300@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">This is what seems to trigger the home dir creation
issue for me:<br>
<br>
# touch /.autorelabel
<br>
<span class="anchor" id="line-172"></span># reboot <br>
<br>
Then ssh into the box as a new user.<br>
<br>
Declaring userdom_home_filetrans_user_home_dir(vasd_t) in the
vasd.te file doesn't change the behavior. The user home dirs are
still created with a security context of home_root_t.<br>
<br>
A restart of the vasd daemon fixes the issue. Any suggestions
on how/why a restart of the daemon fixed it?<br>
</div>
</blockquote>
Most likey vasd was not running with the correct domain.<br>
<br>
ps -eZ | grep vasd <br>
to make sure it is running as vasd_t.<br>
<br>
<br>
<blockquote cite="mid:BLU181-W24BFF1F4A01EAB63CA23EED5300@phx.gbl"
type="cite">
<div dir="ltr"> <br>
<div>
<hr id="stopSpelling">From: <a class="moz-txt-link-abbreviated" \
href="mailto:swazup@hotmail.com">swazup@hotmail.com</a><br> To: <a \
class="moz-txt-link-abbreviated" \
href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>; <a \
class="moz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br> \
Subject: RE: Creating home directories with wrong context<br> Date: Tue, 27 Jan 2015 \
14:00:28 -0700<br> <br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">So should I open a bug for this?<br>
<br>
<div>
<hr id="ecxstopSpelling">Date: Wed, 14 Jan 2015 10:49:56
-0500<br>
From: <a class="moz-txt-link-abbreviated" \
href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a><br> To: <a \
class="moz-txt-link-abbreviated" \
href="mailto:swazup@hotmail.com">swazup@hotmail.com</a>; <a \
class="moz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br>
Subject: Re: Creating home directories with wrong context<br>
<br>
Is it in an optional block? Could you send me your
policy?<br>
<br>
<br>
<div class="ecxmoz-cite-prefix">On 01/12/2015 11:48 AM,
Jayson Hurst wrote:<br>
</div>
<blockquote
cite="mid:BLU181-W459FE6DE8A88DC07F406B4D5430@phx.gbl">
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">I declare
userdom_home_filetrans_user_home_dir($1) in vasd_admin
method in the vasd.if file. vasd.te calls
vasd_admin(vasd_t). <br>
<br>
$ sesearch -T -s vasd_t -t home_root_t -c file <br>
<br>
$<br>
<br>
The command above returns a blank line.<br>
<br>
Could I there be a conflicting rule that might be
causing me problems. Where do I look to figure out
why this no longer works?<br>
<br>
<div>
<hr id="ecxstopSpelling">Date: Sat, 10 Jan 2015
07:03:17 -0500<br>
From: <a moz-do-not-send="true"
class="ecxmoz-txt-link-abbreviated"
href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a><br>
To: <a moz-do-not-send="true"
class="ecxmoz-txt-link-abbreviated"
href="mailto:swazup@hotmail.com">swazup@hotmail.com</a>;
<a moz-do-not-send="true"
class="ecxmoz-txt-link-abbreviated"
\
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a><br> \
Subject: Re: Creating home directories with wrong context<br>
<br>
<br>
<div class="ecxmoz-cite-prefix">On 01/08/2015 09:22
PM, Jayson Hurst wrote:<br>
</div>
<blockquote
cite="mid:BLU181-W36B4BDAD4F03DDE83465A9D5440@phx.gbl">
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">I am trying to figure out why a
policy that was written on RHEL 6.0 doesn't work
the same on RHEL 6.5.<br>
<br>
I have a policy whose domain is vasd_t <br>
<br>
I am using the userdomain.if interface call
which is supposed to give the domain access to
create directories in the home dir root with the
user home directory type.<br>
userdom_home_filetrans_user_home_dir(vasd_t)<br>
<br>
Which calls:<br>
files_home_filetrans($1, user_home_dir_t, dir)<br>
Which calls:<br>
filetrans_pattern($1, home_root_t, $2, $3)<br>
<br>
Which is defined as:<br>
allow $1 $2:dir rw_dir_perms;<br>
type_transition $1 $2:$4 $3;<br>
<br>
I would expect this to allow me to create a new
directory in /home which is of type home_root_t,
but what I am seeing is that the new homedir is
being created with the type of home_root_t and
not user_home_dir_t as expected.<br>
<br>
I have also tried not calling the interface
methods and defining it by hand as:<br>
<br>
allow vasd_t home_root_t:dir rw_dir_perms;<br>
type_transition vasd_t home_root_t:dir
user_home_dir_t;<br>
<br>
I have also tried calling
userdom_create_user_home_dirs(vasd_t)<br>
<br>
sesearch shows:<br>
<br>
$ sesearch -AC | grep 'allow vasd_t' | grep ':
dir' | grep home_root_t<br>
allow vasd_t home_root_t : dir { ioctl read
write getattr lock add_name remove_name search
open } ;<br>
<br>
The way the daemon works that is associated to
the vasd_t domain is that it calls a script that
does the actual creation of the homedir. I
believe the problem lies in this fact that
perhaps the script isn't being invoked in a way
to give it proper creation rights.<br>
<br>
Like I said this use to work in RHEL 6.0 but now
I cannot seem to get it to work in 6.5. Any
help would be appreciated. I don't know what I
am missing here.<br>
</div>
<br>
<fieldset class="ecxmimeAttachmentHeader"></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <a \
moz-do-not-send="true" class="ecxmoz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre> \
</blockquote> <br>
You should only need.<br>
userdom_home_filetrans_user_home_dir(vasd_t)<br>
<br>
You need to look at your transition rules.<br>
<br>
sesearch -T -s vasd_t -t home_root_t -c file<br>
<br>
<br>
</div>
</div>
<br>
<fieldset class="ecxmimeAttachmentHeader"></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <a \
moz-do-not-send="true" class="ecxmoz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre> \
</blockquote> <br>
</div>
</div>
<br>
--
selinux mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a> <a \
class="moz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></div>
</div>
</blockquote>
<br>
</body>
</html>
[Attachment #6 (text/plain)]
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic