Hi,
I'm not well versed in selinux and I rarely have run into issues with it.
However, one point that I thought was true doesn't seem to be true. I was under the impression that when a file is created and the context for it is defined in the policy it would acquire it.
For example,
[egreshko@meimei ~]$ pwd /home/egreshko
[egreshko@meimei ~]$ touch .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:user_home_t:s0 .fetchmailrc
[egreshko@meimei ~]$ restorecon .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc
Shouldn't the context have been correct when the file was created? How is an average user to know they may need to add the additional step.
Thanks
On 7/11/19 10:44 AM, Ed Greshko wrote:
Hi,
I'm not well versed in selinux and I rarely have run into issues with it.
However, one point that I thought was true doesn't seem to be true. I was under the impression that when a file is created and the context for it is defined in the policy it would acquire it.
For example,
[egreshko@meimei ~]$ pwd /home/egreshko
[egreshko@meimei ~]$ touch .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:user_home_t:s0 .fetchmailrc
[egreshko@meimei ~]$ restorecon .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc
Shouldn't the context have been correct when the file was created? How is an average user to know they may need to add the additional step.
File label with full path should be defined in policy:
emanage fcontext -l | grep fetchmailrc /etc/fetchmailrc regular file system_u:object_r:fetchmail_etc_t:s0 /home/[^/]+/.fetchmailrc regular file unconfined_u:object_r:fetchmail_home_t:s0 /home/lvrabec/.fetchmailrc regular file staff_u:object_r:fetchmail_home_t:s0 /root/.fetchmailrc regular file system_u:object_r:fetchmail_home_t:s0
So restorecon did its job and restore it correctly.
But you created that file as unconfined_t. (type: "id -Z" in terminal)
And there is no FILE transition rule which should say what should be the newly created file label, so it's inherits label from directory, which is user_home_t.
Thanks, Lukas.
Thanks
On 7/12/19 11:26 PM, Lukas Vrabec wrote:
On 7/11/19 10:44 AM, Ed Greshko wrote:
Hi,
I'm not well versed in selinux and I rarely have run into issues with it.
However, one point that I thought was true doesn't seem to be true. I was under the impression that when a file is created and the context for it is defined in the policy it would acquire it.
For example,
[egreshko@meimei ~]$ pwd /home/egreshko
[egreshko@meimei ~]$ touch .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:user_home_t:s0 .fetchmailrc
[egreshko@meimei ~]$ restorecon .fetchmailrc [egreshko@meimei ~]$ ls -Z .fetchmailrc unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc
Shouldn't the context have been correct when the file was created? How is an average user to know they may need to add the additional step.
File label with full path should be defined in policy:
emanage fcontext -l | grep fetchmailrc /etc/fetchmailrc regular file system_u:object_r:fetchmail_etc_t:s0 /home/[^/]+/.fetchmailrc regular file unconfined_u:object_r:fetchmail_home_t:s0 /home/lvrabec/.fetchmailrc regular file staff_u:object_r:fetchmail_home_t:s0 /root/.fetchmailrc regular file system_u:object_r:fetchmail_home_t:s0
So restorecon did its job and restore it correctly.
But you created that file as unconfined_t. (type: "id -Z" in terminal)
And there is no FILE transition rule which should say what should be the newly created file label, so it's inherits label from directory, which is user_home_t.
I see. So, kindly indulge me, I have a few of follow up questions. Aside from my needing to look for information on what a "FILE transition rule" is....
Looking at this sequence:
[maria@meimei .local]$ ls -Zd share unconfined_u:object_r:data_home_t:s0 share [maria@meimei .local]$ cd share [maria@meimei share]$ ls -Z certificates ls: cannot access 'certificates': No such file or directory [maria@meimei share]$ mkdir certificates [maria@meimei share]$ ls -Zd certificates/ unconfined_u:object_r:home_cert_t:s0 certificates/
1. Tells me a "FILE transition rule" exists, yes?
2. How to list existing "FILE transition rules"?
3. Wouldn't it be advisable the files such as "rc" files which a user may create in their home directory and are well known standard programs have "FILE transition rules" already in existence?
On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko ed.greshko@greshko.com wrote:
So, kindly indulge me, I have a few of follow up questions. Aside from my needing to look for information on what a "FILE transition rule" is....
Looking at this sequence:
[maria@meimei .local]$ ls -Zd share unconfined_u:object_r:data_home_t:s0 share [maria@meimei .local]$ cd share [maria@meimei share]$ ls -Z certificates ls: cannot access 'certificates': No such file or directory [maria@meimei share]$ mkdir certificates [maria@meimei share]$ ls -Zd certificates/ unconfined_u:object_r:home_cert_t:s0 certificates/
- Tells me a "FILE transition rule" exists, yes?
Yes, because the file you created did not inherit the data_home_t label from the parent directory.
(Some special applications that have specific SELinux knowledge can request that a file be created with a specific context, but "mkdir" does not do this.)
- How to list existing "FILE transition rules"?
$ sesearch --type_trans --source unconfined_t --default home_cert_t type_transition unconfined_t config_home_t:dir home_cert_t "certificates"; type_transition unconfined_t data_home_t:dir home_cert_t "certificates"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki"; type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates";
- Wouldn't it be advisable the files such as "rc" files which a user may create in their home directory and are well known standard programs have "FILE transition rules" already in existence?
Contexts for many well-known dotfiles do have them. But fetchmail_home_t doesn't, at least in recent Fedora SELinux policy:
$ sesearch --type_trans --default fetchmail_home_t; echo END END
Perhaps file an upstream enhancement request with your distro to add the missing file transition rules for fetchmail?
On 7/13/19 7:16 AM, James Ralston wrote:
On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko ed.greshko@greshko.com wrote:
So, kindly indulge me, I have a few of follow up questions. Aside from my needing to look for information on what a "FILE transition rule" is....
Looking at this sequence:
[maria@meimei .local]$ ls -Zd share unconfined_u:object_r:data_home_t:s0 share [maria@meimei .local]$ cd share [maria@meimei share]$ ls -Z certificates ls: cannot access 'certificates': No such file or directory [maria@meimei share]$ mkdir certificates [maria@meimei share]$ ls -Zd certificates/ unconfined_u:object_r:home_cert_t:s0 certificates/
- Tells me a "FILE transition rule" exists, yes?
Yes, because the file you created did not inherit the data_home_t label from the parent directory.
(Some special applications that have specific SELinux knowledge can request that a file be created with a specific context, but "mkdir" does not do this.)
- How to list existing "FILE transition rules"?
$ sesearch --type_trans --source unconfined_t --default home_cert_t type_transition unconfined_t config_home_t:dir home_cert_t "certificates"; type_transition unconfined_t data_home_t:dir home_cert_t "certificates"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki"; type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates";
- Wouldn't it be advisable the files such as "rc" files which a user may create in their home directory and are well known standard programs have "FILE transition rules" already in existence?
Contexts for many well-known dotfiles do have them. But fetchmail_home_t doesn't, at least in recent Fedora SELinux policy:
$ sesearch --type_trans --default fetchmail_home_t; echo END END
Perhaps file an upstream enhancement request with your distro to add the missing file transition rules for fetchmail?
Thanks Much! Exactly what I needed to know.
selinux@lists.fedoraproject.org
-
Ed Greshko -
James Ralston -
Lukas Vrabec