Re: Creating files from initrc_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2012 11:19 AM, Dominick Grift wrote:
> On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote:
>> Hi
>> 
>> On CentOS 5.6, I have just noticed that if a process running
>> under context initrc_t creates a file or directory within a
>> user's home directory, that object gets user_home_dir_t.
>> 
>> If an unconfined_t process does the same thing, they correctly
>> get user_home_t.
>> 
>> Was this a bug or a feature?
>> 
>> selinux-policy-2.4.6-300.el5_6.1 
>> selinux-policy-targeted-2.4.6-300.el5_6.1
>> 
>> 
>> Moray. "To err is human; to purr, feline."
> 
> I guess that depends on how you look at it but compared to recent
> fedora policy i guess you could consider this to be a bug.
> 
> This is supported in Fedora 16:
> 
> # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep
> user_home_t type_transition initrc_t user_home_dir_t : file
> user_home_t; type_transition initrc_t user_home_dir_t : dir
> user_home_t; type_transition initrc_t user_home_dir_t : lnk_file
> user_home_t; type_transition initrc_t user_home_dir_t : sock_file
> user_home_t; type_transition initrc_t user_home_dir_t : fifo_file
> user_home_t;
> 
> 
>> 
>> 
>> 
>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

Yes I would say it is a bug, since the goal of initrc_t is to work
properly as an unconfined domain.  Therefor it should create content
in the users homedir with as close to the "right" context as possible.
 Not sure what process you have running as initrc_t that is creating
content in the users homedir.  user_home_dir_t should only be the
label of the top level directory of a users homedir.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8di98ACgkQrlYvE4MpobO8CgCgroBW2j0VHlPRR1TzbIZS+zbm
6/cAnAsVW5BIsJU1KcqXYi+Iu7DwDoMH
=p58K
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux