Why do matchpathcon and restorecon ignore the user context by default?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have just lost several hours trying to figure out why I was unable
to deploy a file from a configuration channel in our satellite server
to a RHEL6 box while it deployed perfectly to a RHEL5 box.

I finally tracked it down to the fact that the user context was set to
unconfined_u while the rest of the context was set correctly.

On RHEL5 rhncfg-client get worked flawlessly and deployed the file
with a *different* user context (system_u) without complaining.
On RHEL6 chncfg-client crashed complaining about the SElinux context -
which differed only in the user context.

Here's what I found (I also posted this as a follow up on the
rhn-satellite mailing list):

I see some very strange behaviour of SELinux on this RHEL6 box.

on RHEL5 the following works as expected:

The default SELinux security context for /etc/sssd/sssd.conf is:
[mertensb@testadintegration01 ~]$ sudo  /usr/sbin/matchpathcon
/etc/sssd/sssd.conf
/etc/sssd/sssd.conf     system_u:object_r:etc_t

Which is also what is currently applied:
[mertensb@testadintegration01 ~]$ sudo ls -lZ /etc/sssd/sssd.conf
-rw-------  root root system_u:object_r:etc_t          /etc/sssd/sssd.conf

So matchpathcon is able to verify the context.
[mertensb@testadintegration01 ~]$ sudo  /usr/sbin/matchpathcon -V
/etc/sssd/sssd.conf
/etc/sssd/sssd.conf verified.

Testing a randomn other file to verify that matchpathcon works:
[mertensb@testadintegration01 ~]$ touch /tmp/proftpd
[mertensb@testadintegration01 ~]$ sudo ls -lZ /tmp/proftpd
-rw-rw-r--  mertensb mertensb user_u:object_r:tmp_t            /tmp/proftpd
[mertensb@testadintegration01 ~]$ sudo mv /tmp/proftpd /etc/cron.monthly/proftpd
[mertensb@testadintegration01 ~]$ sudo ls -lZ /etc/cron.monthly/proftpd
-rw-rw-r--  mertensb mertensb user_u:object_r:tmp_t
/etc/cron.monthly/proftpd
[mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon
/etc/cron.monthly/proftpd
/etc/cron.monthly/proftpd       system_u:object_r:ftpd_exec_t
[mertensb@testadintegration01 ~]$ sudo /usr/sbin/matchpathcon -V
/etc/cron.monthly/proftpd
/etc/cron.monthly/proftpd has context user_u:object_r:tmp_t, should be
system_u:object_r:ftpd_exec_t

But on the RHEL6 machine I get:
[mertensb@defrltot002 ~]$ sudo ls -lZ  /etc/sssd/sssd.conf
-rw-------. root root unconfined_u:object_r:etc_t:s0   /etc/sssd/sssd.conf
[mertensb@defrltot002 ~]$ sudo  /usr/sbin/matchpathcon  /etc/sssd/sssd.conf
/etc/sssd/sssd.conf     system_u:object_r:etc_t:s0
[mertensb@defrltot002 ~]$ sudo  /usr/sbin/matchpathcon -V /etc/sssd/sssd.conf
/etc/sssd/sssd.conf verified.

Repeating my test of matchpathcon:
[mertensb@defrltot002 ~]$ touch /tmp/proftpd
[mertensb@defrltot002 ~]$ sudo mv /tmp/proftpd /etc/cron.monthly/proftpd
[mertensb@defrltot002 ~]$ sudo ls -lZ /etc/cron.monthly/proftpd
-rw-r--r--. mertensb ISOP unconfined_u:object_r:user_
tmp_t:s0
/etc/cron.monthly/proftpd
[mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon /etc/cron.monthly/proftpd
/etc/cron.monthly/proftpd       system_u:object_r:ftpd_exec_t:s0
[mertensb@defrltot002 ~]$ sudo /usr/sbin/matchpathcon -V
/etc/cron.monthly/proftpd
/etc/cron.monthly/proftpd has context
unconfined_u:object_r:user_tmp_t:s0, should be
system_u:object_r:ftpd_exec_t:s0

Both have the same sssd SELinux policy loaded:
RHEL5:
[mertensb@testadintegration01 ~]$ sudo /usr/sbin/semodule -l|grep sssd
sssd    1.0.2
RHEL6:
[mertensb@defrltot002 ~]$ sudo /usr/sbin/semodule -l|grep sssd
sssd    1.0.2

Digging further I found out that if only the user context is different
matchpathcon returns OK.
See http://manpages.ubuntu.com/manpages/karmic/man3/matchpathcon.3.html

I also found a post on this list indicating that restorecon has a
forece option to make it set the user context which it doesn't do by
default: http://fedora.12.x6.nabble.com/restorecon-isn-t-restoring-what-matchpathcon-shows-td2645478.html

So why isn't the user context set/reset by default?
After all it clearly leaves the system in a broken state.

And why doesn't matchpathcon have a similar force option to make it
check the entire context?

Thanks in advance.

Bram Mertens
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux