<---- template headericclude ----->
'restorecon' does not relabel correctly
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    'restorecon' does not relabel correctly

    Hi, everyone,

    I have a very curious problem with 'restorecon'.

    Problem:
    'restorecon' should relabel the context of the path /maco/glass to system_u:object_r:glass_rw_t:s0, however, it relabels the context to system_u:object_r:user_home_dir_t:s0.

    The commad that triggers the error:
    restorecon -F -R -v /maco/glass/
    Expected result:
    drwxr-xr-x. 2 system_u:object_r:glass_rw_t:s0 glass glass 4096 2009-07-24 11:32 glass
    Actual result:
    drwxr-xr-x. 2 system_u:object_r:user_home_dir_t:s0 glass glass 4096 2009-07-24 11:32 glass
    Background:
    I have created a custom policy named 'glass' which specifies SELinux rules for the GlassFish application server. It worked just fine until a couple of days ago.

    The catch is, that a couple of days ago, I have decided to change the path of my GlassFish installation from /var/glass to /maco/glass.

    Here is the content of the glass.fc file:

    /maco/glass -d gen_context(system_u:object_r:glass_rw_t,s0)
    /maco/glass/.* gen_context(system_u:object_r:glass_r_t,s0)
    /maco/glass/bin/asadmin -- gen_context(system_u:object_r:glass_exec_t,s0)
    /maco/glass/lib/registration/servicetag-registry.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
    /maco/glass/config/asenv.conf -- gen_context(system_u:object_r:glass_rx_t,s0)
    /maco/glass/lib/libjvminfoutil.so -- gen_context(system_u:object_r:glass_rx_t,s0)
    /maco/glass/domains -d gen_context(system_u:object_r:glass_rw_t,s0)
    /maco/glass/domains/.* gen_context(system_u:object_r:glass_rw_t,s0)
    /maco/glass/updatecenter/config/config.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
    /maco/glass/lib/install/applications -d gen_context(system_u:object_r:glass_rw_t,s0)
    System configuration:
    Fedora 11

    Linux Maco 2.6.29.6-213.fc11.i686.PAE #1 SMP Tue Jul 7 20:59:29 EDT 2009 i686 i686 i386 GNU/Linux
    Comments:

    • I have another custom policy (named 'MySVN') This one also relabels (with custom contexts) the path /maco/svn -- curiously enough, this works just fine.
    • Before, when I was using /var/glass, relabelling worked just fine.
    • I have tried changing the path from /maco/glass to simply /glass (to see if this works), and it worked (it correctly changed the context of the directory).
    • I have checked with the 'SELinux Management' tool that in fact the specified file file label rules were installed.
    • I believe this could be a bug in Fedora's SELinux file labelling rules.


    EDIT: I have tried to change the path from /maco/glass to /maco/sublask (totally random folder name), and it worked... It is true, that I have moved the '/maco/glass' folder from my home folder (namely: '/home/Download/glassfish') with the following command:
    mv "/home/Download/glassfish" "/maco/glass";

    Could the move have confused SELinux into thinking that the folder '/maco/glass' is still in my home folder? The folder '/maco' is a mount point with its own partition. Also, I have deleted the folder many times with the following command: rm -Rf /maco/glass. Nevertheless, it still relabels the path to 'system_u:object_r:user_home_dir_t:s0'.

    Thank you very much for your assistance.

    Sincerely,
    ---
    Matej
    Last edited by matej; 24th July 2009 at 11:24 AM. Reason: I have tried to use another path -- to see how it will work.

  2. #2
    Join Date
    Jul 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I think I figured it out

    Hi,

    I think I just discovered the reason for this 'error': I have created a user 'glass', with the home folder set to '/maco/glass'. I guess Fedora thinks that this is a home folder and tries to relabel it accordingly.

    Is there a way to override this functionality? I.e.: to force fedora to use the contexts specified in the '*.fc' file instead of the 'user_home_dir_t' context?

    NOTE: Fedora 10 did not have such a behaviour (it relabelled things 'correctly').

    Thanks,
    ---
    Matej
    Last edited by matej; 24th July 2009 at 12:15 PM. Reason: Added a note.

  3. #3
    Join Date
    May 2008
    Posts
    623
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How is /maco defined?

    I think you may have specified /maco wrong

    whats the output of: semanage fcontext -l | grep maco

    Edit: oh right, forget my comments above. This is due to how SELinux (genhomedircon) handles home directories.

    Not sure how to fix that other than setting the login shell of glas to /sbin/nologin or using /home for the user home dir.
    Last edited by domg472; 25th July 2009 at 11:22 AM.
    Come join us on #fedora-selinux on irc.freenode.org
    http://docs.fedoraproject.org/selinu...ide/f10/en-US/

  4. #4
    Join Date
    Jul 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, domg472

    Thank you for your answer.

    This is due to how SELinux (genhomedircon) handles home directories.

    Not sure how to fix that other than setting the login shell of glas to /sbin/nologin or using /home for the user home dir.
    Yup, I just changed the home folder to something else -- it is an entirely acceptable solution.

    On a side note, the user 'glass' had the login shell set to '/sbin/nologin' from the start (it is also a system account) -- so, I guess this does not change the way 'genhomedircon' behaves.

    Again, thank you very much. I consider this problem solved.

Similar Threads

  1. restorecon where?
    By weaver4 in forum Servers & Networking
    Replies: 1
    Last Post: 16th May 2008, 06:42 PM
  2. SELinux won't relabel
    By ArthurDent123 in forum Using Fedora
    Replies: 3
    Last Post: 4th March 2008, 10:20 PM
  3. restorecon
    By JerryWo in forum Installation, Upgrades and Live Media
    Replies: 4
    Last Post: 9th September 2007, 02:45 PM
  4. restorecon
    By u-noneinc-s in forum Servers & Networking
    Replies: 2
    Last Post: 13th April 2006, 01:03 AM
  5. How do I relabel files?
    By pinenut in forum Security and Privacy
    Replies: 3
    Last Post: 27th November 2005, 01:09 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]