root's home has a different context then the rest of the users:
# ls -dZ /root
drwxr-x--- root root system_u:object_r:admin_home_t /root
I would do something like this:
policy_module(nx, 0.0.1)
type nx_home_t;
userdom_user_home_content(user, nx_home_t)
HOME_DIR/\.nx(/.*)? gen_context(system_u:object_r:nx_home_t,s0)
/root/\.nx(/.*)? gen_context(system_u:object_r:nx_home_t,s0)
and work with this domain instead.
Hopefuly it will lead you to a nice policy one day :)
Sincerely yours,
Vadym Chepkov
--- On Sun, 2/1/09, Richard Chapman <rchapman@xxxxxxxxxxxxxxx> wrote:
> From: Richard Chapman <rchapman@xxxxxxxxxxxxxxx>
> Subject: Interesting Denials from semodule on Centos 5.2
> To: fedora-selinux-list@xxxxxxxxxx
> Cc: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
> Date: Sunday, February 1, 2009, 6:37 AM
> Hi
>
> I have an interesting denial here - and I think I
> understand what is causing it - but I'm not sure of the
> best method of resolving it. I have pasted the denial below.
>
> What seems to cause it is running the gui
> "System/Administration/Selinux Management" tool -
> while in a gnome x session in an "nx" session.
> I'm not sure how well know it is - but "nx" is
> a very good gui remote terminal (like vnc but much better
> imho) running over ssh. Very fast ad accurate and presumably
> secure. I use nx to manage the Centos 5.2 server - rather
> than use a physical terminal.
> Every time I start the gui Selinux Management tool I get
> one of these denials. Note that the /root/.nx directory must
> be a housekeeping directory for nx where it keeps session
> information.
>
> I have run audit2allow on this denial and it suggests this
> very simple policy
> ---------
> module mynx 1.0;
>
> require {
> type semanage_t;
> type user_home_t;
> class file append;
> }
>
> #============= semanage_t ==============
> allow semanage_t user_home_t:file append;
> -------
>
> Is this a good solution - or is it freeing up the wrong
> thing?
> Does anyone understand why this configuration should cause
> the denial - and can anyone suggest a better solution?
>
> BTW: I have tried the suggested re-labelling - and it
> didn't help.
>
> Richard.
>
>
>
>
>
> Summary
> SELinux is preventing the semodule from using potentially
> mislabeled files
> (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
>
> Detailed Description
> [SELinux is in permissive mode, the operation would have
> been denied but was permitted due to permissive mode.]
>
> SELinux has denied semodule access to potentially
> mislabeled file(s)
> (/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session).
> This means that SELinux will not allow semodule to use these
> files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to
> system directories. The problem is that the files end up
> with the wrong file context which confined applications are
> not allowed to access.
>
> Allowing Access
> If you want semodule to access this files, you need to
> relabel them using restorecon -v
> '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session'.
> You might want to relabel the entire directory using
> restorecon -R -v
> '/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9'.
> Additional Information
>
> Source Context: system_u:system_r:semanage_t
> Target Context: user_u:object_r:user_home_t
> Target Objects:
> /root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session
> [ file ]
> Source: semodule
> Source Path: /usr/sbin/semodule
> Port: <Unknown>
> Host: C5.aardvark.com.au
> Source RPM Packages: policycoreutils-1.33.12-14.el5
> Target RPM Packages:
> Policy RPM: selinux-policy-2.4.6-203.el5
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: home_tmp_bad_labels
> Host Name: C5.aardvark.com.au
> Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1
> SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count: 3
> First Seen: Sun Feb 1 15:21:40 2009
> Last Seen: Sun Feb 1 16:01:16 2009
> Local ID: 31b6bb16-26ba-419d-8057-7bb9eee9708a
> Line Numbers:
>
> Raw Audit Messages :
>
> host=C5.aardvark.com.au type=AVC
> msg=audit(1233471676.49:19106): avc: denied { append } for
> pid=25330 comm="semodule"
> path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
> dev=dm-0 ino=29294826
> scontext=system_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC
> msg=audit(1233471676.49:19106): avc: denied { append } for
> pid=25330 comm="semodule"
> path="/root/.nx/C-C5.aardvark.com.au-1001-A809D35DE6DD5692B6DD14987FACDFC9/session"
> dev=dm-0 ino=29294826
> scontext=system_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> host=C5.aardvark.com.au type=SYSCALL
> msg=audit(1233471676.49:19106): arch=c000003e syscall=59
> success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3
> items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
> comm="semodule" exe="/usr/sbin/semodule"
> subj=system_u:system_r:semanage_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL
> msg=audit(1233471676.49:19106): arch=c000003e syscall=59
> success=yes exit=0 a0=16674410 a1=166747b0 a2=16673660 a3=3
> items=0 ppid=25327 pid=25330 auid=102 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1740
> comm="semodule" exe="/usr/sbin/semodule"
> subj=system_u:system_r:semanage_t:s0 key=(null)
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
