I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5.
I have a policy whose domain is vasd_t
I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type. userdom_home_filetrans_user_home_dir(vasd_t)
Which calls: files_home_filetrans($1, user_home_dir_t, dir) Which calls: filetrans_pattern($1, home_root_t, $2, $3)
Which is defined as: allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3;
I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected.
I have also tried not calling the interface methods and defining it by hand as:
allow vasd_t home_root_t:dir rw_dir_perms; type_transition vasd_t home_root_t:dir user_home_dir_t;
I have also tried calling userdom_create_user_home_dirs(vasd_t)
sesearch shows:
$ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights.
Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here.
On 01/08/2015 09:22 PM, Jayson Hurst wrote:
I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5.
I have a policy whose domain is vasd_t
I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type. userdom_home_filetrans_user_home_dir(vasd_t)
Which calls: files_home_filetrans($1, user_home_dir_t, dir) Which calls: filetrans_pattern($1, home_root_t, $2, $3)
Which is defined as: allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3;
I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected.
I have also tried not calling the interface methods and defining it by hand as:
allow vasd_t home_root_t:dir rw_dir_perms; type_transition vasd_t home_root_t:dir user_home_dir_t;
I have also tried calling userdom_create_user_home_dirs(vasd_t)
sesearch shows:
$ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights.
Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You should only need. userdom_home_filetrans_user_home_dir(vasd_t)
You need to look at your transition rules.
sesearch -T -s vasd_t -t home_root_t -c file
I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
$ sesearch -T -s vasd_t -t home_root_t -c file
$
The command above returns a blank line.
Could I there be a conflicting rule that might be causing me problems. Where do I look to figure out why this no longer works?
Date: Sat, 10 Jan 2015 07:03:17 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Creating home directories with wrong context
On 01/08/2015 09:22 PM, Jayson Hurst wrote:
I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5.
I have a policy whose domain is vasd_t
I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type.
userdom_home_filetrans_user_home_dir(vasd_t)
Which calls:
files_home_filetrans($1, user_home_dir_t, dir)
Which calls:
filetrans_pattern($1, home_root_t, $2, $3)
Which is defined as:
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3;
I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected.
I have also tried not calling the interface methods and defining it by hand as:
allow vasd_t home_root_t:dir rw_dir_perms;
type_transition vasd_t home_root_t:dir user_home_dir_t;
I have also tried calling userdom_create_user_home_dirs(vasd_t)
sesearch shows:
$ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t
allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights.
Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You should only need.
userdom_home_filetrans_user_home_dir(vasd_t)
You need to look at your transition rules.
sesearch -T -s vasd_t -t home_root_t -c file
Is it in an optional block? Could you send me your policy?
On 01/12/2015 11:48 AM, Jayson Hurst wrote:
I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
$ sesearch -T -s vasd_t -t home_root_t -c file
$
The command above returns a blank line.
Could I there be a conflicting rule that might be causing me problems. Where do I look to figure out why this no longer works?
Date: Sat, 10 Jan 2015 07:03:17 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Creating home directories with wrong context
On 01/08/2015 09:22 PM, Jayson Hurst wrote:
I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5. I have a policy whose domain is vasd_t I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type. userdom_home_filetrans_user_home_dir(vasd_t) Which calls: files_home_filetrans($1, user_home_dir_t, dir) Which calls: filetrans_pattern($1, home_root_t, $2, $3) Which is defined as: allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected. I have also tried not calling the interface methods and defining it by hand as: allow vasd_t home_root_t:dir rw_dir_perms; type_transition vasd_t home_root_t:dir user_home_dir_t; I have also tried calling userdom_create_user_home_dirs(vasd_t) sesearch shows: $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ; The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights. Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here. -- selinux mailing list selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/selinuxYou should only need. userdom_home_filetrans_user_home_dir(vasd_t)
You need to look at your transition rules.
sesearch -T -s vasd_t -t home_root_t -c file
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
So should I open a bug for this?
Date: Wed, 14 Jan 2015 10:49:56 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Creating home directories with wrong context
Is it in an optional block? Could you send me your policy?
On 01/12/2015 11:48 AM, Jayson Hurst wrote:
I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
$ sesearch -T -s vasd_t -t home_root_t -c file
$
The command above returns a blank line.
Could I there be a conflicting rule that might be causing me problems. Where do I look to figure out why this no longer works?
Date: Sat, 10 Jan 2015 07:03:17 -0500
From: dwalsh@redhat.com
To: swazup@hotmail.com; selinux@lists.fedoraproject.org
Subject: Re: Creating home directories with wrong context
On 01/08/2015 09:22 PM, Jayson Hurst wrote:
I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5.
I have a policy whose domain is vasd_t
I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type.
userdom_home_filetrans_user_home_dir(vasd_t)
Which calls:
files_home_filetrans($1, user_home_dir_t, dir)
Which calls:
filetrans_pattern($1, home_root_t, $2, $3)
Which is defined as:
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3;
I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected.
I have also tried not calling the interface methods and defining it by hand as:
allow vasd_t home_root_t:dir rw_dir_perms;
type_transition vasd_t home_root_t:dir user_home_dir_t;
I have also tried calling userdom_create_user_home_dirs(vasd_t)
sesearch shows:
$ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t
allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights.
Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You should only need.
userdom_home_filetrans_user_home_dir(vasd_t)
You need to look at your transition rules.
sesearch -T -s vasd_t -t home_root_t -c file
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This is what seems to trigger the home dir creation issue for me:
# touch /.autorelabel
# reboot
Then ssh into the box as a new user.
Declaring userdom_home_filetrans_user_home_dir(vasd_t) in the vasd.te file doesn't change the behavior. The user home dirs are still created with a security context of home_root_t.
A restart of the vasd daemon fixes the issue. Any suggestions on how/why a restart of the daemon fixed it?
From: swazup@hotmail.com To: dwalsh@redhat.com; selinux@lists.fedoraproject.org Subject: RE: Creating home directories with wrong context Date: Tue, 27 Jan 2015 14:00:28 -0700
So should I open a bug for this?
Date: Wed, 14 Jan 2015 10:49:56 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Creating home directories with wrong context
Is it in an optional block? Could you send me your policy?
On 01/12/2015 11:48 AM, Jayson Hurst wrote:
I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin method in the vasd.if file. vasd.te calls vasd_admin(vasd_t).
$ sesearch -T -s vasd_t -t home_root_t -c file
$
The command above returns a blank line.
Could I there be a conflicting rule that might be causing me problems. Where do I look to figure out why this no longer works?
Date: Sat, 10 Jan 2015 07:03:17 -0500
From: dwalsh@redhat.com
To: swazup@hotmail.com; selinux@lists.fedoraproject.org
Subject: Re: Creating home directories with wrong context
On 01/08/2015 09:22 PM, Jayson Hurst wrote:
I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5.
I have a policy whose domain is vasd_t
I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type.
userdom_home_filetrans_user_home_dir(vasd_t)
Which calls:
files_home_filetrans($1, user_home_dir_t, dir)
Which calls:
filetrans_pattern($1, home_root_t, $2, $3)
Which is defined as:
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3;
I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected.
I have also tried not calling the interface methods and defining it by hand as:
allow vasd_t home_root_t:dir rw_dir_perms;
type_transition vasd_t home_root_t:dir user_home_dir_t;
I have also tried calling userdom_create_user_home_dirs(vasd_t)
sesearch shows:
$ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t
allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights.
Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You should only need.
userdom_home_filetrans_user_home_dir(vasd_t)
You need to look at your transition rules.
sesearch -T -s vasd_t -t home_root_t -c file
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 01/29/2015 01:19 AM, Jayson Hurst wrote:
This is what seems to trigger the home dir creation issue for me:
# touch /.autorelabel # reboot
Then ssh into the box as a new user.
Declaring userdom_home_filetrans_user_home_dir(vasd_t) in the vasd.te file doesn't change the behavior. The user home dirs are still created with a security context of home_root_t.
A restart of the vasd daemon fixes the issue. Any suggestions on how/why a restart of the daemon fixed it?
Most likey vasd was not running with the correct domain.
ps -eZ | grep vasd to make sure it is running as vasd_t.
From: swazup@hotmail.com To: dwalsh@redhat.com; selinux@lists.fedoraproject.org Subject: RE: Creating home directories with wrong context Date: Tue, 27 Jan 2015 14:00:28 -0700
So should I open a bug for this?
Date: Wed, 14 Jan 2015 10:49:56 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: Creating home directories with wrong context
Is it in an optional block? Could you send me your policy?
On 01/12/2015 11:48 AM, Jayson Hurst wrote:
I declare userdom_home_filetrans_user_home_dir($1) in vasd_admin method in the vasd.if file. vasd.te calls vasd_admin(vasd_t). $ sesearch -T -s vasd_t -t home_root_t -c file $ The command above returns a blank line. Could I there be a conflicting rule that might be causing me problems. Where do I look to figure out why this no longer works? ------------------------------------------------------------------------ Date: Sat, 10 Jan 2015 07:03:17 -0500 From: dwalsh@redhat.com <mailto:dwalsh@redhat.com> To: swazup@hotmail.com <mailto:swazup@hotmail.com>; selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> Subject: Re: Creating home directories with wrong context On 01/08/2015 09:22 PM, Jayson Hurst wrote: I am trying to figure out why a policy that was written on RHEL 6.0 doesn't work the same on RHEL 6.5. I have a policy whose domain is vasd_t I am using the userdomain.if interface call which is supposed to give the domain access to create directories in the home dir root with the user home directory type. userdom_home_filetrans_user_home_dir(vasd_t) Which calls: files_home_filetrans($1, user_home_dir_t, dir) Which calls: filetrans_pattern($1, home_root_t, $2, $3) Which is defined as: allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; I would expect this to allow me to create a new directory in /home which is of type home_root_t, but what I am seeing is that the new homedir is being created with the type of home_root_t and not user_home_dir_t as expected. I have also tried not calling the interface methods and defining it by hand as: allow vasd_t home_root_t:dir rw_dir_perms; type_transition vasd_t home_root_t:dir user_home_dir_t; I have also tried calling userdom_create_user_home_dirs(vasd_t) sesearch shows: $ sesearch -AC | grep 'allow vasd_t' | grep ': dir' | grep home_root_t allow vasd_t home_root_t : dir { ioctl read write getattr lock add_name remove_name search open } ; The way the daemon works that is associated to the vasd_t domain is that it calls a script that does the actual creation of the homedir. I believe the problem lies in this fact that perhaps the script isn't being invoked in a way to give it proper creation rights. Like I said this use to work in RHEL 6.0 but now I cannot seem to get it to work in 6.5. Any help would be appreciated. I don't know what I am missing here. -- selinux mailing list selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/selinux You should only need. userdom_home_filetrans_user_home_dir(vasd_t) You need to look at your transition rules. sesearch -T -s vasd_t -t home_root_t -c file -- selinux mailing list selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/selinux-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jayson Hurst