SElinux store file context and ownership change

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
I'm trying to address a known "issue" where SELinux context of files in
SELinux store gets changed on policy rebuild. This triggers some system
verification tools and unnecessarily raises concerns in users.
I created a patch using getfilecon and setfscreatecon, but am not sure
if this is the best approach since it will not fix a context that has
already been changed. Also, any files created as a result of execve
need to be addressed separately (e.g. file_contexts.bin), maybe using
selabel_lookup to get the proper label since that way sefcontext_compile
does not need to know the path to the SELinux store (only to sandbox).
I considered relabeling the whole sandbox before semanage_commit_sandbox,
but that seems wasteful.

Then there is a related issue where the rebuild is performed as a
non-root user, causing files in the policy store to change ownership.
\# capsh --user=testuser --caps="cap_dac_override+eip cap_setpcap+ep" --addamb=cap_dac_override -- -c "semodule -B"
This can actually cause issues in some scenarios (e.g. remote login failing).
Addressing this seems to require more drastic measures. My attempts to
use "chown" failed, even with the CAP_CHOWN capability and using 
seteuid/setegid does not seem safe. Any suggestions would be
appreciated.

Thank you.

Vit





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux