On Mon, 2008-07-07 at 16:18 -0400, David L Durant (Mags) wrote: > On Mon, 2008-07-07 14:47 -0500, Stephen Smalley wrote: > > > On Mon, 2008-07-07 at 13:42 -0500, Serge E. Hallyn wrote: > > > >> It looks like unconfined_t is not granted setfcap capability. So > >> when running ltp as unconfined_t, the file capabilities test fails. > >> I'm just wondering what the right answer is: > >> > >> 1. require running ltp as an administrative type > >> 2. give ltp a custom policy module to create an ltp_t > >> 3. give setfcap to unconfined_t > >> > > unconfined_t should have all capabilities already. > > Policy version? > > Well, earlier today while running as _root_ with full-blown permissions, > I noticed that I couldn't access */home/dave/.gvfs*, (except to see that > it is a directory). > > [dave@fedora ~]$ *ls -ld /home/dave/.gvfs* > dr-x------ 2 dave durant 0 2008-07-07 09:40 /home/dave/.gvfs > [dave@fedora ~]$ su - > Password: > [root@fedora ~]# *ls -ld .gvfs* > ls: cannot access /home/dave/.gvfs: Permission denied > [root@fedora ~]# *secon* > user: unconfined_u > role: unconfined_r > type: unconfined_t > sensitivity: s0 > clearance: s0:c0.c1023 > mls-range: s0-s0:c0.c1023 > [root@fedora ~]# I don't think that is SELinux-related (retry after "setenforce 0" and/or check your audit log via "/sbin/ausearch -m AVC -sv no"). Likely just that /home/dave is NFS mounted and you have rootsquash on the NFS server... -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
