-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2014 01:57 PM, Jayson Hurst wrote: > Its running as: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > But now that I see that I understand what is happening. I am testing this > on an older version of the product and in that version the create script is > actually ran by the service making the authentication request. So in my > test case, su or ssh. > > If I wanted to make this work for the older version (The newer version the > script is launched by the daemon) what do I need to do, or what can I do? > You have to get the daemon running as the type, by transitioning from the init system. or from unconfined_t. It sounds to me like you have the daemon running outside of the initscript and run by unconfined_t which will not do the transition. >> Date: Wed, 12 Feb 2014 13:44:06 -0500 From: dwalsh@xxxxxxxxxx To: >> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: What is >> the correct way to create a users home dir >> > On 02/12/2014 01:31 PM, Jayson Hurst wrote: >> Same results: > >> # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 . >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. > >> # ssh tu-1@localhost tu-1@localhost's password: > >> -sh-4.1$ ls -laZ drwx------. tu-1 UnixGroup >> system_u:object_r:home_root_t:s0 . drwxr-xr-x. root root >> system_u:object_r:home_root_t:s0 .. -rw-r--r--. tu-1 UnixGroup >> system_u:object_r:home_root_t:s0 .bash_logout -rw-r--r--. tu-1 UnixGroup >> system_u:object_r:home_root_t:s0 .bash_profile -rw-r--r--. tu-1 >> UnixGroup system_u:object_r:home_root_t:s0 .bashrc drwxr-xr-x. tu-1 >> UnixGroup system_u:object_r:home_root_t:s0 .gnome2 drwxr-xr-x. tu-1 >> UnixGroup system_u:object_r:home_root_t:s0 .mozilla -rw-------. tu-1 >> UnixGroup unconfined_u:object_r:home_root_t:s0 .vas_disauthcc_100001 >> -rw-r--r--. tu-1 UnixGroup system_u:object_r:home_root_t:s0 >> .vas_logon_server -sh-4.1$ exit logout Connection to localhost closed. > >> # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 . >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. drwx------. tu-1 >> UnixGroup system_u:object_r:home_root_t:s0 tu-1 > >> Does the home directory creation script have to be labelled any >> particular type? The main daemon is running as type qasd_t and the binary >> is labelled as qasd_exec_t, the script is labelled as qasd_bin_t. I am >> not sure if this matters. > >> unconfined_u:system_r:qasd_t:s0 root 4321 1 0 Feb11 ? 00:00:12 >> /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid >> unconfined_u:system_r:qasd_t:s0 daemon 4333 4321 0 Feb11 ? 00:00:23 >> /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid > >> The script that creates the directory is doing nothing special, just a >> mkdir /home/$username, sets the user as the owner and changes >> permissions and then copies over the skel files. > > >>> Date: Wed, 12 Feb 2014 13:12:58 -0500 From: dwalsh@xxxxxxxxxx To: >>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: What >>> is the correct way to create a users home dir > >> On 02/12/2014 01:05 PM, Jayson Hurst wrote: >>> l# sesearch -T -s qasd_t -c dir Found 5 semantic te rules: type_member >>> qasd_t user_home_dir_t : dir user_home_dir_t; type_transition qasd_t >>> user_home_dir_t : dir user_home_t; type_transition qasd_t var_auth_t : >>> dir qasd_var_auth_t; type_transition qasd_t etc_t : dir qasd_conf_t; >>> type_transition qasd_t home_root_t : dir user_home_dir_t; > > >> Could you test again. > > > I wonder if the script is actually running as qasd_t, could you run id -Z > within the script to write its label to a file. > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL72yAACgkQrlYvE4MpobNzpgCgsffh5NtIGKLQtjt88XQJ29st YxQAn3dtY5ToAIi8RM/wO6fl3IGuJ/JV =SyuJ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
