> From: Trevor Hemsley > Sent: 23 January 2012 16:40 > Daniel J Walsh wrote: > > On 01/23/2012 11:19 AM, Dominick Grift wrote: > > > On Mon, 2012-01-23 at 15:57 +0000, Moray Henderson wrote: > > >> Hi > > >> > > >> On CentOS 5.6, I have just noticed that if a process running > > >> under context initrc_t creates a file or directory within a > > >> user's home directory, that object gets user_home_dir_t. > > >> > > >> If an unconfined_t process does the same thing, they correctly > > >> get user_home_t. > > >> > > >> Was this a bug or a feature? > > >> > > >> selinux-policy-2.4.6-300.el5_6.1 > > >> selinux-policy-targeted-2.4.6-300.el5_6.1 > > >> > > >> > > >> Moray. "To err is human; to purr, feline." > > > I guess that depends on how you look at it but compared to recent > > > fedora policy i guess you could consider this to be a bug. > > > > > This is supported in Fedora 16: > > > > > # sesearch --allow -s initrc_t -t user_home_dir_t -T | grep > > > user_home_t type_transition initrc_t user_home_dir_t : file > > > user_home_t; type_transition initrc_t user_home_dir_t : dir > > > user_home_t; type_transition initrc_t user_home_dir_t : lnk_file > > > user_home_t; type_transition initrc_t user_home_dir_t : sock_file > > > user_home_t; type_transition initrc_t user_home_dir_t : fifo_file > > > user_home_t; > > > > Yes I would say it is a bug, since the goal of initrc_t is to work > > properly as an unconfined domain. Therefor it should create content > > in the users homedir with as close to the "right" context as > possible. > > Not sure what process you have running as initrc_t that is creating > > content in the users homedir. user_home_dir_t should only be the > > label of the top level directory of a users homedir. > I reported a similar problem on 19/02/2011 with a mail > "recently-used.xbel wrong context". I hadn't managed to narrow it down > to files created by initrc_t processes. I'd forgotten the sesearch(1) command (haven't been in SELinux for a while). When I saw that my custom daemon was running in initrc_t, I used "runcon -t initrc_t bash" (had to look that one up too) to give myself an initrc_t shell to try things out and compare to my normal unconfined_t shell. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
