Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24th July 2009, 11:07 AM
matej Offline
Registered User
 
Join Date: Jul 2009
Posts: 3
'restorecon' does not relabel correctly

Hi, everyone,

I have a very curious problem with 'restorecon'.

Problem:
'restorecon' should relabel the context of the path /maco/glass to system_u:object_r:glass_rw_t:s0, however, it relabels the context to system_u:object_r:user_home_dir_t:s0.

The commad that triggers the error:
restorecon -F -R -v /maco/glass/
Expected result:
drwxr-xr-x. 2 system_u:object_r:glass_rw_t:s0 glass glass 4096 2009-07-24 11:32 glass
Actual result:
drwxr-xr-x. 2 system_u:object_r:user_home_dir_t:s0 glass glass 4096 2009-07-24 11:32 glass
Background:
I have created a custom policy named 'glass' which specifies SELinux rules for the GlassFish application server. It worked just fine until a couple of days ago.

The catch is, that a couple of days ago, I have decided to change the path of my GlassFish installation from /var/glass to /maco/glass.

Here is the content of the glass.fc file:

/maco/glass -d gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/.* gen_context(system_u:object_r:glass_r_t,s0)
/maco/glass/bin/asadmin -- gen_context(system_u:object_r:glass_exec_t,s0)
/maco/glass/lib/registration/servicetag-registry.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/config/asenv.conf -- gen_context(system_u:object_r:glass_rx_t,s0)
/maco/glass/lib/libjvminfoutil.so -- gen_context(system_u:object_r:glass_rx_t,s0)
/maco/glass/domains -d gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/domains/.* gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/updatecenter/config/config.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/lib/install/applications -d gen_context(system_u:object_r:glass_rw_t,s0)
System configuration:
Fedora 11

Linux Maco 2.6.29.6-213.fc11.i686.PAE #1 SMP Tue Jul 7 20:59:29 EDT 2009 i686 i686 i386 GNU/Linux
Comments:
  • I have another custom policy (named 'MySVN') This one also relabels (with custom contexts) the path /maco/svn -- curiously enough, this works just fine.
  • Before, when I was using /var/glass, relabelling worked just fine.
  • I have tried changing the path from /maco/glass to simply /glass (to see if this works), and it worked (it correctly changed the context of the directory).
  • I have checked with the 'SELinux Management' tool that in fact the specified file file label rules were installed.
  • I believe this could be a bug in Fedora's SELinux file labelling rules.

EDIT: I have tried to change the path from /maco/glass to /maco/sublask (totally random folder name), and it worked... It is true, that I have moved the '/maco/glass' folder from my home folder (namely: '/home/Download/glassfish') with the following command:
mv "/home/Download/glassfish" "/maco/glass";
Could the move have confused SELinux into thinking that the folder '/maco/glass' is still in my home folder? The folder '/maco' is a mount point with its own partition. Also, I have deleted the folder many times with the following command: rm -Rf /maco/glass. Nevertheless, it still relabels the path to 'system_u:object_r:user_home_dir_t:s0'.

Thank you very much for your assistance.

Sincerely,
---
Matej

Last edited by matej; 24th July 2009 at 11:24 AM. Reason: I have tried to use another path -- to see how it will work.
Reply With Quote
  #2  
Old 24th July 2009, 12:14 PM
matej Offline
Registered User
 
Join Date: Jul 2009
Posts: 3
I think I figured it out

Hi,

I think I just discovered the reason for this 'error': I have created a user 'glass', with the home folder set to '/maco/glass'. I guess Fedora thinks that this is a home folder and tries to relabel it accordingly.

Is there a way to override this functionality? I.e.: to force fedora to use the contexts specified in the '*.fc' file instead of the 'user_home_dir_t' context?

NOTE: Fedora 10 did not have such a behaviour (it relabelled things 'correctly').

Thanks,
---
Matej

Last edited by matej; 24th July 2009 at 12:15 PM. Reason: Added a note.
Reply With Quote
  #3  
Old 25th July 2009, 11:20 AM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
How is /maco defined?

I think you may have specified /maco wrong

whats the output of: semanage fcontext -l | grep maco

Edit: oh right, forget my comments above. This is due to how SELinux (genhomedircon) handles home directories.

Not sure how to fix that other than setting the login shell of glas to /sbin/nologin or using /home for the user home dir.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/

Last edited by domg472; 25th July 2009 at 11:22 AM.
Reply With Quote
  #4  
Old 25th July 2009, 11:46 AM
matej Offline
Registered User
 
Join Date: Jul 2009
Posts: 3
Hi, domg472

Thank you for your answer.

Quote:
This is due to how SELinux (genhomedircon) handles home directories.

Not sure how to fix that other than setting the login shell of glas to /sbin/nologin or using /home for the user home dir.
Yup, I just changed the home folder to something else -- it is an entirely acceptable solution.

On a side note, the user 'glass' had the login shell set to '/sbin/nologin' from the start (it is also a system account) -- so, I guess this does not change the way 'genhomedircon' behaves.

Again, thank you very much. I consider this problem solved.
Reply With Quote
Reply

Tags
restorecon, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
restorecon where? weaver4 Servers & Networking 1 16th May 2008 06:42 PM
SELinux won't relabel ArthurDent123 Using Fedora 3 4th March 2008 09:20 PM
restorecon JerryWo Installation, Upgrades and Live Media 4 9th September 2007 02:45 PM
restorecon u-noneinc-s Servers & Networking 2 13th April 2006 01:03 AM
How do I relabel files? pinenut Security and Privacy 3 27th November 2005 12:09 AM


Current GMT-time: 13:22 (Thursday, 28-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat