-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph Höger wrote: > Hi, > > currently I encounter a denial for openvpn which tries to "search" > home_root_t. Is that generally a bad idea (and openvpn should be fixed) > or should it be allowed? > > regards > > christoph - -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list home_root_t is the label of /home and potentially other parent directory of user homedirectories. So if I had my homedirs in /users/dwalsh /users would be labeled home_root_t and /users/dwalsh would be labeled user_home_dir_t. So searching of the home_root_t usually means that a domain is trying to look at something in the home directory. If a domain has no reason to look in the home directory, this could indicate a problem. If I was a cracker and I broken into your machine, I would want to attack home directories to grab secrets like stored password and credit card data. Now that being said, it is fairly easy to generate this type of avc. When you start up a daemon, it often checs out it's current working directory, So if you su to root and then "service openvpn restart" you could generate this avc. Also openvpn might have a legitimate reason to read the users homedir, and we don't allow it in policy, which could be a bug. Dan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeLhSYACgkQrlYvE4MpobPJyACdGB8r+kAkpdtncpn/Hvaltw8Q N7EAoIoQPbbzcMvhFEJ6ShSrOTaCypF0 =LMrI -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
