On 11/13/2009 07:32 PM, Matthew Ife wrote: > This might just be me being daft in some sense but I have come across > the following situation and was hoping someone could shed light on it. > > Part of setting up kerberos involves creating a principal database with > the kdb5_util command. > > When you setup the database (typically as unconfined_t on a default > installation) it puts various files in; > /var/kerberos/krb5kdc > of which include the principal database itself and various controls such > as a lock file. > > This folder gets the context krb5kdc_conf_t and a few file contexts > exist in the fcontext database to manage the additional creation of > files in side, one of which is the principal.ok file which is used as a > lock file. > > When creating the lock file with the command above it should get the > label (according to fcontexts) of krb5kdc_lock_t as a regex exists such > as: > /var/kerberos/krb5kdc/principal.*\.ok system_u:object_r:krb5kdc_lock_t > > But, the file gets the parent directory context of conf_t. Likewise, > removing the lock file manually and touching the file again also > demonstrates the same behavior. If you then run restorecon/fixfiles on > the directory it will correctly reset the file to the right location. > > I've checked with strace to see if something strange happens (if the > principal.ok file gets created as a temp name then moved) but there is > no such behaviour. Thus I'm stuck in understanding whats going on. Why > does default filesystem labelling give the file conf_t and restorecon > give it the (correct) lock_t? > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I wrote a blog a long time ago explaining how files get their labels. http://danwalsh.livejournal.com/2639.html The problem here is that kdb5_util would need to have SELinux awareness in order to create the files with the correct context. Kerberos libraries have this awareness built into them in Fedora, but I guess this tool does not. You should open a bugzilla on it. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
