Am 21.02.2014 um 10:32 schrieb selinux-request@xxxxxxxxxxxxxxxxxxxxxxx: > Send selinux mailing list submissions to > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/selinux > or, via email, send a message with subject or body 'help' to > selinux-request@xxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of selinux digest..." > > > Today's Topics: > > 1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch) > 2. RE: Correct way to use booleans (Jayson Hurst) > 3. Re: semanage error when upgrading to RHEL 6.5 (Miroslav Grepl) > 4. Re: Correct way to use booleans (Miroslav Grepl) > 5. Re: how to change the context of running process (Miroslav Grepl) > 6. Re: How to properly setup my domains security contexts in the > domain.fc file? (Miroslav Grepl) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 20 Feb 2014 14:30:06 -0800 (PST) > From: Andy Ruch <adruch2002@xxxxxxxxx> > To: Daniel J Walsh <dwalsh@xxxxxxxxxx>, Fedora SELinux > <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: semanage error when upgrading to RHEL 6.5 > Message-ID: > <1392935406.63212.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=utf-8 > > > > > > >> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/20/2014 04:44 PM, Andy Ruch wrote: >>> >>> >>> >>> >>> >>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh >>>> <dwalsh@xxxxxxxxxx> wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 02/20/2014 03:46 PM, Andy Ruch wrote: >>>>> >>>>> >>>>> >>>>> >>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh >>>> <dwalsh@xxxxxxxxxx> >>>>> wrote: >>>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> >>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have a policy that was originally written for RHEL 6.2. >> I’m now >>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with >>>> semanage. I >>>>>>> can install a fresh RHEL 6.5 system with the targeted >> policy and >>>>>>> everything works fine. I then uninstall the targeted policy >> and >>>> install >>>>>>> my policy and I can’t link the linux user and selinux user. >>>>>>> >>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r >> s0-s0:c0.c1023 >>>>>>>>> testuser_u useradd -G wheel testuser semanage login >> -a -r >>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser >>>>>>> libsemanage.dbase_llist_query: could not query record value >> >>>>>>> /usr/sbin/semanage: Could not query user for testuser >>>>>>> >>>>>>> >>>>>>> I have the RHEL 6.5 source code for libsemanage and the >> targeted >>>> policy >>>>>>> but so far I haven't been able to find differences that >> would >>>> affect >>>>>>> this problem. Could someone please point me in the right >> direction >>>>>>> >>>> as >>>>>>> far as what semanage is expecting? What would prevent >> libsemanage >>>>>>> >>>> from >>>>>>> querying for the user? >>>>>>> >>>>>>> Thanks, Andy >>>>>>> >>>>>>> >>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>> >>>>>> What does semanage login -l and semanage user -l show? >> -----BEGIN >>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with >>>>>> Thunderbird >>>> - >>>>>> http://www.enigmail.net/ >>>>>> >>>>>> >> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX >>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP >> SIGNATURE----- >>>>>> >>>>> >>>>> semanage user -l shows: >>>>> >>>>> >>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level >> MCS >>>>> Range SELinux Roles >>>>> >>>>> root user s0 s0-s0:c0.c1023 system_r >> system_u >>>>> user s0 s0-s0:c0.c1023 system_r testuser_u user >>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u user >>>>> s0 s0 user_r >>>>> >>>>> >>>>> >>>>> semanage login -l shows: >>>>> >>>>> >>>>> Login Name SELinux User MLS/MCS Range >>>>> >>>>> >>>>> root root s0-s0:c0.c1023 >>>>> system_u system_u s0-s0:c0.c1023 >> -- >>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>> >>>> And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - >>>> http://www.enigmail.net/ >>>> >>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai >>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs >>>> >>>> -----END PGP SIGNATURE----- >>>> >>> >>> >>> Yes. The commands "semanage user -a" and "useradd" >> appear to work fine. >>> It's the "semanage login -a" that has trouble. >>> >> And this is with the stock policycoreutils or a rebuilt one? >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v >> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H >> =gXXZ >> >> -----END PGP SIGNATURE----- >> > > Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs. > > > ------------------------------ > > Message: 2 > Date: Thu, 20 Feb 2014 16:54:18 -0700 > From: Jayson Hurst <swazup@xxxxxxxxxxx> > To: Daniel J Walsh <dwalsh@xxxxxxxxxx>, > "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: RE: Correct way to use booleans > Message-ID: <BLU172-W3728825C096AEDF18A065DD59A0@xxxxxxx> > Content-Type: text/plain; charset="iso-8859-1" > > I see the same thing on RHEL 6.5. > > So should I assume this is a bug in SElinux/OS? Even so is there a way that I can work around it? Would there be anything wrong with transitioning files I create in tmp from tmp_t to user_tmp_t? > >> Date: Thu, 20 Feb 2014 14:21:55 -0500 >> From: dwalsh@xxxxxxxxxx >> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Correct way to use booleans >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/20/2014 01:41 PM, Jayson Hurst wrote: >>> I am running in permissive mode, my module is in permissive mode. >>> >>> I am actually running on RHEL 6.0. >>> >>> So in this scenario even though my daemon is authenticating the user it is >>> not responsible for context that the krb5cc_xxx file gets created as? >>> >> >> The login daemons should be creating this file with the correct context. >> user_tmp_t. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si >> cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI >> =2zvU >> -----END PGP SIGNATURE----- > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140220/6a78244c/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Fri, 21 Feb 2014 09:54:52 +0100 > From: Miroslav Grepl <mgrepl@xxxxxxxxxx> > To: Andy Ruch <adruch2002@xxxxxxxxx> > Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, Fedora SELinux > <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: semanage error when upgrading to RHEL 6.5 > Message-ID: <5307145C.40903@xxxxxxxxxx> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 02/20/2014 11:30 PM, Andy Ruch wrote: >> >> >> >> >>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 02/20/2014 04:44 PM, Andy Ruch wrote: >>>> >>>> >>>> >>>> >>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh >>>>> <dwalsh@xxxxxxxxxx> wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh >>>>> <dwalsh@xxxxxxxxxx> >>>>>> wrote: >>>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> >>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have a policy that was originally written for RHEL 6.2. >>> I’m now >>>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with >>>>> semanage. I >>>>>>>> can install a fresh RHEL 6.5 system with the targeted >>> policy and >>>>>>>> everything works fine. I then uninstall the targeted policy >>> and >>>>> install >>>>>>>> my policy and I can’t link the linux user and selinux user. >>>>>>>> >>>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r >>> s0-s0:c0.c1023 >>>>>>>>>> testuser_u useradd -G wheel testuser semanage login >>> -a -r >>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser >>>>>>>> libsemanage.dbase_llist_query: could not query record value >>>>>>>> /usr/sbin/semanage: Could not query user for testuser >>>>>>>> >>>>>>>> >>>>>>>> I have the RHEL 6.5 source code for libsemanage and the >>> targeted >>>>> policy >>>>>>>> but so far I haven't been able to find differences that >>> would >>>>> affect >>>>>>>> this problem. Could someone please point me in the right >>> direction >>>>> as >>>>>>>> far as what semanage is expecting? What would prevent >>> libsemanage >>>>> from >>>>>>>> querying for the user? >>>>>>>> >>>>>>>> Thanks, Andy >>>>>>>> >>>>>>>> >>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>> >>>>>>> What does semanage login -l and semanage user -l show? >>> -----BEGIN >>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with >>>>>>> Thunderbird >>>>> - >>>>>>> http://www.enigmail.net/ >>>>>>> >>>>>>> >>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX >>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP >>> SIGNATURE----- >>>>>> semanage user -l shows: >>>>>> >>>>>> >>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level >>> MCS >>>>>> Range SELinux Roles >>>>>> >>>>>> root user s0 s0-s0:c0.c1023 system_r >>> system_u >>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u user >>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u user >>>>>> s0 s0 user_r >>>>>> >>>>>> >>>>>> >>>>>> semanage login -l shows: >>>>>> >>>>>> >>>>>> Login Name SELinux User MLS/MCS Range >>>>>> >>>>>> >>>>>> root root s0-s0:c0.c1023 >>>>>> system_u system_u s0-s0:c0.c1023 >>> -- >>>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>> >>>>>> >>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - >>>>> http://www.enigmail.net/ >>>>> >>>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai >>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs >>>>> >>>>> -----END PGP SIGNATURE----- >>>>> >>>> >>>> Yes. The commands "semanage user -a" and "useradd" >>> appear to work fine. >>>> It's the "semanage login -a" that has trouble. >>>> >>> And this is with the stock policycoreutils or a rebuilt one? >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v >>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H >>> =gXXZ >>> >>> -----END PGP SIGNATURE----- >>> >> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs. >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Probably not related but could you test it in permissive? > > Also any chance to strace it and send us your output? > > Regards, > Miroslav > > > ------------------------------ > > Message: 4 > Date: Fri, 21 Feb 2014 10:10:18 +0100 > From: Miroslav Grepl <mgrepl@xxxxxxxxxx> > To: Jayson Hurst <swazup@xxxxxxxxxxx> > Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, > "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: Correct way to use booleans > Message-ID: <530717FA.9030002@xxxxxxxxxx> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > On 02/20/2014 07:41 PM, Jayson Hurst wrote: >> I am running in permissive mode, my module is in permissive mode. >> >> I am actually running on RHEL 6.0. >> >> So in this scenario even though my daemon is authenticating the user >> it is not responsible for context that the krb5cc_xxx file gets >> created as? > > What daemon? > > How does your local policy look? >> >>> Date: Thu, 20 Feb 2014 12:48:53 -0500 >>> From: dwalsh@xxxxxxxxxx >>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> Subject: Re: Correct way to use booleans >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 02/20/2014 11:30 AM, Jayson Hurst wrote: >>>> So it sounds like booleans are meant to be set by the admin if >> they need >>>> that sort of thing on. In the case of samba if the admin wanted to >> share >>>> out user directories they would need to turn on a boolean that >> would allow >>>> them to do so like samba_enable_home_dirs. >>>> >>>> I see a few different files in /tmp that are labelled as tmp_t, >> but the >>>> ones I care about are the krb5cc_X files. If I use kinit to >> generate the >>>> krb5cc file it is labelled as user_tmp_t but if I login through >>>> ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my >>>> daemon is responsible for kerberos login I can only guess that it is >>>> generating them incorrectly. In my SELinux module should I have a >>>> transition for files created in tmp to have them created as >> user_tmp_t or >>>> is there a better way? >>>> >>> Well are you in permissive mode? Are you using standard Fedora >> packages or >>> something different? Login/sshd should be creating these files as >> user_tmp_t. >>> >>> >>>>> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To: >>>>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: >> Correct >>>>> way to use booleans >>>>> >>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote: >>>>> Audit2Allow is suggesting that a boolean be turned on. >>>> >>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind' >>>> >>>>> allow vasd_t ldap_port_t:tcp_socket name_bind; >>>> >>>>> setsebool -P allow_ypbind 1 >>>> >>>>> Should this boolean be enabled via my domains policy, or is this >>>>> something the system administrator should turn on if they know >> they will >>>>> be using NIS? >>>> >>>> Only the system admin should turn this on in an NIS environment. >> This is >>>> an incredibly permissive boolean. Allows all processes to use any >> network >>>> port. >>>> >>>>> The same question can be asked for other things like http and samba. >>>>> #!!!! This avc can be allowed using one of the these booleans: # >>>>> samba_export_all_ro, samba_export_all_rw >>>> >>>>> allow smbd_t tmp_t:file getattr; >>>> There really should not be tmp_t files on a system. Any idea how >> this file >>>> got created? smbd_t in permissive mode? >>>> >>>>> #!!!! This avc can be allowed using one of the these booleans: # >>>>> samba_create_home_dirs, samba_export_all_rw >>>> >>>>> allow smbd_t user_home_dir_t:dir { write create add_name }; >>>> >>>>> setsebool -P samba_export_all_rw 1 >>>> >>>> >>>> >>>> >>>> >>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> If a user is exporting the home dirs it would be better to use >>>> samba_enable_home_dirs >>>> >>>> But if he is sharing the entire system then use samba_export_all_rw >>>> >>>> >>>> >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/ >>> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf >>> =jZN7 >>> -----END PGP SIGNATURE----- >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/2d89bb83/attachment-0001.html> > > ------------------------------ > > Message: 5 > Date: Fri, 21 Feb 2014 10:26:19 +0100 > From: Miroslav Grepl <mgrepl@xxxxxxxxxx> > To: bigclouds <bigclouds@xxxxxxx> > Cc: "selinux@xxxxxxxxxxxxxxxxxxxxxxx" > <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: how to change the context of running process > Message-ID: <53071BBB.5080905@xxxxxxxxxx> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > On 02/10/2014 02:38 AM, bigclouds wrote: >> hi,all >> 1. >> how to change the context of running process. >> 2. >> in my case, libvirtd is initrc_t, how to find where and which >> file defines this rule? >> libvirtd should be virtd_t, i want to correct it. >> 3.audot2allow outputs a rule ,'allow initrc_t svirt_t:process transition' >> is there a comamnd line tool can finish this request? not to install >> .pp module? >> thanks >> >> > It looks you have mislabeling issue on libvirtd binary. If you execute > > $ ls -Z /usr/sbin/libvirtd | awk '{ print $4 }' > > $ matchpathcon /usr/sbin/libvirtd | awk '{ print $2 }' > > you probably will get different values. If so you will need to fix > labeling (SELinux is a labeling system) using > > # restorecon -R -v /usr/sbin/libvirtd > > and restart libvirtd service. >> >> >> >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/3e4eed37/attachment-0001.html> > > ------------------------------ > > Message: 6 > Date: Fri, 21 Feb 2014 10:32:35 +0100 > From: Miroslav Grepl <mgrepl@xxxxxxxxxx> > To: Jayson Hurst <swazup@xxxxxxxxxxx> > Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, > "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: How to properly setup my domains security contexts in the > domain.fc file? > Message-ID: <53071D33.8030905@xxxxxxxxxx> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > On 02/14/2014 04:50 PM, Jayson Hurst wrote: >> If the context for /var/opt/quest/vas/vasd(/.*)? all files >> system_u:object_r:vasd_var_auth_t:s0 >> >> Is already in place before the product is installed via rpm, should >> rpm correctly label the dir/files as they are laid down? > The point is the directory needs to be a part of rpm payload. > > # rpm -qf /var/opt/quest/vas/vas > > Otherwise you need to run restorecon to fix labeling. > >> >> Sent from my Windows Phone >> ------------------------------------------------------------------------ >> From: Daniel J Walsh <mailto:dwalsh@xxxxxxxxxx> >> Sent: 2/14/2014 6:52 AM >> To: Jayson Hurst <mailto:swazup@xxxxxxxxxxx>; >> selinux@xxxxxxxxxxxxxxxxxxxxxxx <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >> Subject: Re: How to properly setup my domains security contexts in the >> domain.fc file? >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 02/14/2014 01:23 AM, Jayson Hurst wrote: >>> The policy was in play before installing the product, also why >> doesn't the >>> pid file get labeled correctly? >> Pid files are created by the app, and the app does not look at the file >> context. file_context is just there to tell SELinux aware apps how to >> label >> content. (restorecon,rpm) If non SELinux aware apps create content >> then you >> need file transition rules. >>> >>> Sent from my Windows Phone >>> >> -------------------------------------------------------------------------------- >>> >>> >> From: Daniel J Walsh <mailto:dwalsh@xxxxxxxxxx> >>> Sent: 2/13/2014 6:58 PM To: Jayson Hurst <mailto:swazup@xxxxxxxxxxx>; >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx> >>> Subject: Re: How to properly setup my domains security contexts in the >>> domain.fc file? >>> >>> On 02/13/2014 08:30 PM, Jayson Hurst wrote: >>>> I have a file context installed as follows: >>>> >>>> # semanage fcontext -l | grep vasd >>>> >>>> /etc/rc.d/init.d/vasd regular file >>>> system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular >>>> file system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files >>>> system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all >> files >>>> system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid >>>> regular file system_u:object_r:vasd_var_run_t:s0 >>>> >>>> After a fresh install I see the following: >>>> >>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root >>>> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root >>>> unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root >>>> unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root >> root >>>> unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb >>>> >>>> >>>> Why are the files being created under /var/opt/quest/vas/vasd not >> being >>>> labelled correctly as qasd_var_auth_t as the fcontext states? Is the >>>> software installer supposed to force a relabel on a post-install? >>>> >>>> After a restart of the daemon I do not see the pid file being labelled >>>> correctly: >>>> >>>> # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be >>>> running. Starting vasd: [ >>>> OK ] >>>> >>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon >>>> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root >>>> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon >>>> unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon >>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. >> daemon >>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. >> daemon >>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--. >>>> daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--. >>>> daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb >>>> -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0 >>>> vas_misc.vdb >>>> >>>> After forcing a relabel: >>>> >>>> # restorecon -F -R /var/opt/quest/vas/vasd/ >>>> >>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon >>>> system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root root >>>> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon >>>> system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon >>>> daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx. >>>> daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576 >>>> srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0 >>>> .vasd40_ipc_sock -rw-r--r--. daemon daemon >>>> system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon >> daemon >>>> system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. daemon >>>> daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb >>>> >>>> I get the files and directory labelled correctly, but not the pid file. >>>> I can set a pid transition in the policy but then what is the point of >>>> setting a file context in the <domain>.fc for the pid file if it never >>>> gets picked up? Apparently I am missing something important here. >>>> >>>> Does anyone know a place for good documentation on this subject? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>> If RPM puts the files on disk and then installs your policy in post >>> install, it will not fix the labels. >>> >>> You could create an vasd-selinux.rpm and require this to be installed >>> before the vasd.rpm is installed. In that case the rpm should do >> the right >>> thing, at least on Fedora/RHEL7. Not sure about RHEL6. >>> >>> Otherwise you can just run restorecon in the post install. >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlL+H6YACgkQrlYvE4MpobOO0QCdGcCRlnqq7Awd6NhbBUBUVAXQ >> 2cEAnjuKTxPbeMJb6WJRtXPwgwUJRMIc >> =IrPG >> -----END PGP SIGNATURE----- >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/4d76268d/attachment.html> > > ------------------------------ > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > End of selinux Digest, Vol 120, Issue 15 > **************************************** -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
