Re: Correct way to create /tmp files that can be used by other domains.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/05/2014 02:03 AM, Jayson Hurst wrote:
> If my daemon creates a file in /tmp which is labelled with my domains tmp
> file context as follows:
> 
> -rw-------.       1001      1000 unconfined_u:object_r:qasd_tmp_t:s0 
> /tmp/krb5cc_1001
> 
> other daemons such as sshd (which use kerberos) will need access to this
> file as well.  Is there a way to grant that access from my policy without
> having to specify an exact allow rule for sshd?
> 
> I am seeing audit messages about this from audit2why.
> 
> type=AVC msg=audit(1391534896.381:2642): avc:  denied  { getattr } for
> pid=2070 comm="sshd" path="/tmp/krb5cc_1001" dev=dm-0 ino=281219 
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:qasd_tmp_t:s0 tclass=file
> 
> audit2allow gives me the following allow rule:
> 
> allow sshd_t qasd_tmp_t:file { getattr unlink };
> 
> But I don't want to create specific allow rules like this if I can help
> it.
> 
> 
> 
Well you really want this content to probably be labeled user_tmp_t.  One
problem, I see is you are creating content in /tmp that is well known name,
which can be dangerous.  In Fedora we are putting this type of content under
/run/user/UID, rather then in /tmp.

You could make a call like setfscreatecon("system_u:object_r:user_tmp_t:s0")
before creating the content.

A file name transition rule would work, but I recommend that you do not create
a guessable name in /tmp.

> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLzZS4ACgkQrlYvE4MpobMJaACglrysp6rk4gyGhx9rkhdju+/r
8GcAoIu2IGQDt/i0KimEaERzEq4vdJEF
=6N4d
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux