Re: file creation and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 7/11/19 10:44 AM, Ed Greshko wrote:
> Hi,
> 
> I'm not well versed in selinux and I rarely have run into issues with it. 
> 
> However, one point that I thought was true doesn't seem to be true.  I was under the
> impression that when a file is created and the context for it is defined in the policy it
> would acquire it.
> 
> For example,
> 
> [egreshko@meimei ~]$ pwd
> /home/egreshko
> 
> [egreshko@meimei ~]$ touch .fetchmailrc
> [egreshko@meimei ~]$ ls -Z .fetchmailrc
> unconfined_u:object_r:user_home_t:s0 .fetchmailrc
> 
> [egreshko@meimei ~]$ restorecon .fetchmailrc
> [egreshko@meimei ~]$ ls -Z .fetchmailrc
> unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc
> 
> Shouldn't the context have been correct when the file was created?  How is an average user
> to know they may need to add the additional step.
> 

File label with full path should be defined in policy:

emanage fcontext -l | grep fetchmailrc
/etc/fetchmailrc                                   regular file
system_u:object_r:fetchmail_etc_t:s0
/home/[^/]+/\.fetchmailrc                          regular file
unconfined_u:object_r:fetchmail_home_t:s0
/home/lvrabec/\.fetchmailrc                        regular file
staff_u:object_r:fetchmail_home_t:s0
/root/\.fetchmailrc                                regular file
system_u:object_r:fetchmail_home_t:s0


So restorecon did its job and restore it correctly.

But you created that file as unconfined_t. (type: "id -Z" in terminal)

And there is no FILE transition rule which should say what should be the
newly created file label, so it's inherits label from directory, which
is user_home_t.

Thanks,
Lukas.

> Thanks
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux