Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
Todd Miller wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adding
mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash
To /etc/passwd causes the labeling to get all screwed up. This would
report an error when we used the python version of genhomedircon and
not foul up the labeling by checking if there was a label for /var/lib
already in the file_context file. (Boy do I love python. :^))
https://bugzilla.redhat.com/show_bug.cgi?id=430195
Dan
That shouldn't be hard to add to genhomedircon.c. I'll take a look.
So, Todd is about to send a patch to fix this but I want to point out
that I'm adverse to this sort of thing. There is a minuid and a null
shell for a reason, using something above minuid with a valid shell for
a non-interactive user is a broken configuration and the fact that we
have to work around it is pretty unfortunate.
That said the alternative of breaking the system labeling is pretty bad,
its probably better to hack around the problem than leave clueless users
with broken configurations stranded but I really wish we didn't have to
do things like this.
*sigh*
I think you need to scream in the semanage that this is bad behavior,
and you can't fix the labels. The /var/lib situation is bad, but I more
commonly see admins putting real users in /usr/local or under /var. We
need to have a message that explains this is bad and SELinux can not
handle it.
Well, this is part of the configurability of Linux and thats why people
love it, right? One solution would be to effectively get rid of
directory search denials on commodity policies (eg., give all domains
search on all dirs for the RH policy) then we don't have to worry about
the "top level home" directory label at all.
It is not that simple. useradd relies on home_root_t to create
directories labeled user_home_dir_t.
So I think this behavior is bogus. First of all the user being added
might not be a user_r user and thus his home directory will be
mislabeled between the time useradd adds the directory and it gets
relabeled. This is a race where an unprivileged user could contaminate a
privileged users environment. Second if its true that user directories
commonly get moved then we have to stop relying on default transitions
to do labeling and make useradd label things properly.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
