-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michal Jaegermann wrote: > I wonder if this is my unique experience or this is widely observed. > > So far, AFAICT, when installing a machine "from scratch", and while > keeping a layout as plain as possible, then selinux is rather > expected to work; at least decently enough. The picture becomes > entirely diferent when you are trying to upgrade a distro. What > results of such exercise will be I am unable to predict. > > I have now such example recently moved from F8 to F10. It was > configured "targeted" and in the past it was behaving ok. Burned on > other occasions I set selinux to "permissive" before upgrading > distros with an intentions to restore "enforcing" later on. In > anaconda it is hard not to notice that an installation of > selinux-policy-targeted package takes a really long time. One would > think that this is because some checks are run or some relabeling > takes place or whatever. Only the end result was that after a > reboot a machine was mostly busy spitting all kind of complaints and > warnings. If not that "permissive" setting it most likely would > not boot at all. 'touch /.autorelabel' followed by a reboot and > relabelling took care of most of that stuff. But without the > machine really going into a service at least two "mysteries" remain > (and I fully expect more to show up later). > > There is a requirement that a root needs to be able to login via > ssh on this machine using an authorized key (a remote root login > with a password is blocked). This works but I am getting every > time "Unable to get valid context for root" and in /var/log/secure: > "pam_selinux(sshd:session): Security context > system_u:system_r:logrotate_t:s0-s0:c0.c1023 is not allowed for > system_u:system_r:logrotate_t:s0-s0:c0.c1023". > Eh? What this is supposed to mean? There are no corresponding > 'sealert' message I can find nor 'allow2why' comes with any reasons. > > Another problem which hits immediately is that 'root' has > .procmailrc file and it is necessary there. Every mail to root > results in selinux complaints. Initially these were in a form: > > SELinux is preventing the procmail from using potentially mislabeled > files (./_ZoC.lwQVJB.xxxxxx.yyyy.zzz). > > and propositions to relabel these. A very good advice. :-) > This time 'allow2rules' had the following things to propose: > > allow procmail_t admin_home_t:dir { write remove_name add_name }; > allow procmail_t admin_home_t:file { write create unlink link }; > > I generated a corresponding module, and added it to a fray, and > that only changed a nature of complaints to: > > SELinux is preventing the procmail from using potentially mislabeled > files (./.procmailrc). > > The catch is that /root/.procmailrc has for a label > system_u:object_r:admin_home_t:s0 and 'restorecon -v' on it does not > change anything at all. > > Of course I have no idea if there are policy problems, or troubles > are somewhere else, or everything really works as expected. A big > mystery. > > To makes things even more interesting I have another machine, also > upgraded from F8 to F10 and configured, it would appear, in a > similar way, and none of symptoms described above shows there. > Only on that other box /root/.procmailrc is labeled with > system_u:object_r:user_home_t (do not ask me why!) and > system_u:object_r:user_home_dir_t shows on /root and running > there 'restorecon -vR /root' also does not change anything at all. > So apparently both are correct only one does not work and how and > why they aquired different labels is another of those puzzles. > Does selinux policies are applied at random? > > Michal > /root is supposed to be labelled admin_home_t and most confined applications are not allowed to read/write anything in this directory. So procmail_t should not be allowed by default to read/write admin_home_t. If for some reason you want procmail to deliver files to root, you can add a custom module, as you seem to have indicated that you have. Why /root on the other machine is labeled user_home_t is a bug. Not sure why this is happening. Do you have an entry in your /etc/passwd with a UID > 500 with /root as a home dir? I have changed the tools that setup homedir labeling to not modify /root but I am not sure if this has gotten into F10 yet. The reason we want to protect /root from confined domains, is to stop them from modifying /root/.bashrc or other files that the admin could be tricked into executing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklWFP4ACgkQrlYvE4MpobMtsgCgswMj9ikIHgTW06te/OVyyoWE UEUAoOXweXYZ/jZxkry28afH/y2FvCWk =L7sE -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list