-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Paris wrote: > On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote: > >> So, the more immediate problem: On a Fedora host, a "C" based program that >> launches all the server functionality (including archiving) has its suid >> bit set (and gid, too) so it runs as the server installation's owner. It's >> actually pretty smart by validating its environment hasn't been hacked, >> etc, and then gets to business. This code has somehow broken during a >> couple of upgrades of Fedora - I didn't notice it at first because as the >> developer, I always run it as the development installation's owner and as >> a fluke apparently others haven't experienced this problem or haven't >> reported it. Recently, however, someone else went to play with it and it >> refused. Some simple checks indicated that the SUID bit wasn't being >> honored. The system has SELINUX installed but disabled - the kernel is >> 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored >> but _why?_ > > fs mounted with nosuid? this is not an selinux'ism.... > >> The less immediate issue is really a quest for pointers to the most >> appropriate source packages so I can see how other programs solve similar >> SELINUX related issues. Ideally, this code can both archive and restore >> any file on the system. In addition, it currently - ignoring SELINUX for a >> moment - tracks all meta-data changes - ownership and permissions, the >> various dates associated with a file, etc, in addition to file data, so it >> has the handy trait of both providing an audit trail and an ability to >> restore data or meta-data as needed. As such it needs to be able to >> discover what the security context details are so it can record them, in >> addition to the obvious need to update SELINUX security details on a per >> file basis.... I don't even know how to do that from the command line, >> much less write a program to do it! ...However, I'm sure somewhere these >> things have been already addressed, such as with tar, etc. > > rsync I think was the first package to do this. tar now has selinux > label capabilities. you can either get at it though the libselinux > interfaces or directly use get/setxattr looking at the security.selinux > namespace. Assuming your program runs unconfined (as most things do by > default if you don't write policy for them) selinux shouldn't be getting > in your way of this type of operation..... > > I don't think libselinux has much in the way of docs other than grabbing > the code and looking at what interfaces it provides... > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You probably want to look at the following SELinux functions. man getfilecon man setfilecon man setfscreatecon # ls -lZ FILE Will list the file context # chcon CONTEXT FILE Will change the context. # restorecon FILE Will ask the system what it should be labeled and make it so. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsy+AACgkQrlYvE4MpobP/zgCg69jY4IRJChHB+mcS4jDn+Q/I U8MAoNSVB0F5GQ4tttTVr8ZnouhMvAtf =k1UZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
