Hi
I'm running Centos 5.5 with all the most recent patches applied and am seeing a strange problem with a file in my home directory called .recently-used.xbel. It keeps getting the wrong selinux context assigned to it though I have no idea what is changing it or when.
[trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_dir_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel [trevor@trevor4 ]$ chcon --reference=/home/trevor/.recently-used ~/.recently-used.xbel [trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel
It's a file not a directory yet it is being labelled as home_dir_t not home_t and this causes avc messages. I change it back using the chcon command above and it stays that way for a while and a few days/hour/weeks later, it comes back as home_dir_t again. I'm not sure what it is that triggers the re-mislabelling but I do know that I 'fixed' this via chcon about a week ago and now it's back again and it's not the first time that this has happened. Looking at these two avcs it would appear that I 'fixed' it shortly after the 13th and it came back sometime today or yesterday at a guess.
63. 13/02/11 02:12:53 smbd user_u:system_r:smbd_t:s0 4 file getattr user_u:object_r:user_home_dir_t:s0 denied 47358 64. 19/02/11 17:39:10 smbd user_u:system_r:smbd_t:s0 4 file getattr user_u:object_r:user_home_dir_t:s0 denied 54205
[root@trevor4 ~]# ausearch -i -a 54205 ---- type=SYSCALL msg=audit(19/02/11 17:39:10.711:54205) : arch=x86_64 syscall=stat success=yes exit=0 a0=7fffe6a808d0 a1=7fffe6a80000 a2=7fffe6a80000 a3=7fffe6a804d0 items=0 ppid=2533 pid=15831 auid=trevor uid=trevor gid=root euid=trevor suid=root fsuid=trevor egid=trevor sgid=root fsgid=trevor tty=(none) ses=2 comm=smbd exe=/usr/sbin/smbd subj=user_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(19/02/11 17:39:10.711:54205) : avc: denied { getattr } for pid=15831 comm=smbd path=/home/trevor/.recently-used.xbel dev=dm-5 ino=10453859 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
I haven't run a relabel of my system recently and even if I had it hasn't been since the machine was last rebooted..
[root@trevor4 ~]# uptime 18:10:11 up 52 days, 7:58, 15 users, load average: 0.43, 0.43, 0.25 [root@trevor4 ~]#
[trevor@trevor4 ~]$ rpm -q selinux-policy selinux-policy-2.4.6-279.el5_5.2
Anyone got any ideas what could be causing this? I can't see anything in semanage fcontext that could be doing it...
[root@trevor4 ~]# semanage fcontext -l | grep home /usr/sbin/genhomedircon regular file system_u:object_r:semanage_exec_t:s0 /usr/lib/oddjob/mkhomedir regular file system_u:object_r:oddjob_mkhomedir_exec_t:s0
Yours Baffled of Brighton :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/19/2011 07:18 PM, Trevor Hemsley wrote:
Hi
I'm running Centos 5.5 with all the most recent patches applied and am seeing a strange problem with a file in my home directory called .recently-used.xbel. It keeps getting the wrong selinux context assigned to it though I have no idea what is changing it or when.
[trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_dir_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel [trevor@trevor4 ]$ chcon --reference=/home/trevor/.recently-used ~/.recently-used.xbel [trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel
It is a gnome-panel thing i believe. gnome-aware applications create these files in your home directory so that your recently used files show up on your gnome-panel under places -> Recent documents.
When users create files in their home directories, these creates files "type transition" from user_home_dir_t to user_home_t. Without this specified typ_transition, these files would be created with the type inherited from their parent directory, which incidentally is user_home_dir_t.
This leads me to believe that some gnome-aware application does not run it the user domain. Which means that the rules that apply to you as a user do not apply to this application.
The rules that do apply to this application do not include said type transition. Thus the application seems allowed to create files in user_home_dir_t directories but there is no rule that says, if it does then type transition from user_home_dir_t to user_home_t.
I am not aware of any gnome-aware user application confined, and so i do not know what created this file.
There are ways to figure this out but it may flood your logs, kill setroubleshoot and cause increased load.
One could force SELinux to audit all domain creating files with type user_home_dir_t. Then wait for the event to occur again and see if the forced audit shows information about this event that can be used to investigate further.
mkdir ~/mytest; cd ~/mytest; echo "policy_module(mytest,1.0.0) gen_require(` attribute domain, userdomain; type user_home_dir_t; ') auditallow { domain userdomain } user_home_dir_t:file create;" > mytest.te;
yum install selinux-policy-devel make -f /usr/share/selinux/devel/Makefile mytest.pp semodule -i mytest.pp
<< reproduce or wait for re-occurance >> << see/enclose avc "grants" ( grep -i grant /var/log/audit/audit.log ) >>
semodule -r mytest.pp
It's a file not a directory yet it is being labelled as home_dir_t not home_t and this causes avc messages. I change it back using the chcon command above and it stays that way for a while and a few days/hour/weeks later, it comes back as home_dir_t again. I'm not sure what it is that triggers the re-mislabelling but I do know that I 'fixed' this via chcon about a week ago and now it's back again and it's not the first time that this has happened. Looking at these two avcs it would appear that I 'fixed' it shortly after the 13th and it came back sometime today or yesterday at a guess.
- 13/02/11 02:12:53 smbd user_u:system_r:smbd_t:s0 4 file getattr
user_u:object_r:user_home_dir_t:s0 denied 47358 64. 19/02/11 17:39:10 smbd user_u:system_r:smbd_t:s0 4 file getattr user_u:object_r:user_home_dir_t:s0 denied 54205
[root@trevor4 ~]# ausearch -i -a 54205
type=SYSCALL msg=audit(19/02/11 17:39:10.711:54205) : arch=x86_64 syscall=stat success=yes exit=0 a0=7fffe6a808d0 a1=7fffe6a80000 a2=7fffe6a80000 a3=7fffe6a804d0 items=0 ppid=2533 pid=15831 auid=trevor uid=trevor gid=root euid=trevor suid=root fsuid=trevor egid=trevor sgid=root fsgid=trevor tty=(none) ses=2 comm=smbd exe=/usr/sbin/smbd subj=user_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(19/02/11 17:39:10.711:54205) : avc: denied { getattr } for pid=15831 comm=smbd path=/home/trevor/.recently-used.xbel dev=dm-5 ino=10453859 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
I haven't run a relabel of my system recently and even if I had it hasn't been since the machine was last rebooted..
[root@trevor4 ~]# uptime 18:10:11 up 52 days, 7:58, 15 users, load average: 0.43, 0.43, 0.25 [root@trevor4 ~]#
[trevor@trevor4 ~]$ rpm -q selinux-policy selinux-policy-2.4.6-279.el5_5.2
Anyone got any ideas what could be causing this? I can't see anything in semanage fcontext that could be doing it...
[root@trevor4 ~]# semanage fcontext -l | grep home /usr/sbin/genhomedircon regular file system_u:object_r:semanage_exec_t:s0 /usr/lib/oddjob/mkhomedir regular file system_u:object_r:oddjob_mkhomedir_exec_t:s0
Yours Baffled of Brighton :)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 02/19/2011 06:18 PM, Trevor Hemsley wrote:
Hi
I'm running Centos 5.5 with all the most recent patches applied and am seeing a strange problem with a file in my home directory called .recently-used.xbel. It keeps getting the wrong selinux context assigned to it though I have no idea what is changing it or when.
[trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_dir_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel [trevor@trevor4 ]$ chcon --reference=/home/trevor/.recently-used ~/.recently-used.xbel [trevor@trevor4 ]$ ls -aZl ~/.recently-used.xbel -rw-rw-r-- 1 user_u:object_r:user_home_t trevor trevor 148481 Feb 18 20:22 /home/trevor/.recently-used.xbel
It's a file not a directory yet it is being labelled as home_dir_t not home_t and this causes avc messages. I change it back using the chcon command above and it stays that way for a while and a few days/hour/weeks later, it comes back as home_dir_t again. I'm not sure what it is that triggers the re-mislabelling but I do know that I 'fixed' this via chcon about a week ago and now it's back again and it's not the first time that this has happened. Looking at these two avcs it would appear that I 'fixed' it shortly after the 13th and it came back sometime today or yesterday at a guess.
- 13/02/11 02:12:53 smbd user_u:system_r:smbd_t:s0 4 file getattr
user_u:object_r:user_home_dir_t:s0 denied 47358 64. 19/02/11 17:39:10 smbd user_u:system_r:smbd_t:s0 4 file getattr user_u:object_r:user_home_dir_t:s0 denied 54205
[root@trevor4 ~]# ausearch -i -a 54205
type=SYSCALL msg=audit(19/02/11 17:39:10.711:54205) : arch=x86_64 syscall=stat success=yes exit=0 a0=7fffe6a808d0 a1=7fffe6a80000 a2=7fffe6a80000 a3=7fffe6a804d0 items=0 ppid=2533 pid=15831 auid=trevor uid=trevor gid=root euid=trevor suid=root fsuid=trevor egid=trevor sgid=root fsgid=trevor tty=(none) ses=2 comm=smbd exe=/usr/sbin/smbd subj=user_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(19/02/11 17:39:10.711:54205) : avc: denied { getattr } for pid=15831 comm=smbd path=/home/trevor/.recently-used.xbel dev=dm-5 ino=10453859 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=file
I haven't run a relabel of my system recently and even if I had it hasn't been since the machine was last rebooted..
[root@trevor4 ~]# uptime 18:10:11 up 52 days, 7:58, 15 users, load average: 0.43, 0.43, 0.25 [root@trevor4 ~]#
[trevor@trevor4 ~]$ rpm -q selinux-policy selinux-policy-2.4.6-279.el5_5.2
Anyone got any ideas what could be causing this? I can't see anything in semanage fcontext that could be doing it...
[root@trevor4 ~]# semanage fcontext -l | grep home /usr/sbin/genhomedircon regular file system_u:object_r:semanage_exec_t:s0 /usr/lib/oddjob/mkhomedir regular file system_u:object_r:oddjob_mkhomedir_exec_t:s0
Yours Baffled of Brighton :)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Trevor,
could you add your output of
# id -Z # ps -eZ | grep initrc
Also you can fix it using restorecond service by adding
# echo "~/.recently-used.xbel" >> /etc/selinux/restorecond.conf # service restorecond restart
Which will fix the label.
Miroslav Grepl wrote:
could you add your output of
# id -Z # ps -eZ | grep initrc
[trevor@trevor4 ~]$ id -Z user_u:system_r:unconfined_t [trevor@trevor4 ~]$ ps -eZ | grep initrc system_u:system_r:initrc_t 5075 ? 00:09:20 apcupsd system_u:system_r:initrc_t 5172 ? 00:01:43 clamd system_u:system_r:initrc_t 5211 ? 00:00:00 mysqld_safe system_u:system_r:initrc_t 5291 ? 00:00:36 hddtemp system_u:system_r:initrc_t 5587 ? 00:00:00 ssh-agent system_u:system_r:initrc_t 5593 ? 00:03:11 fwmysql.pl
Also you can fix it using restorecond service by adding
# echo "~/.recently-used.xbel" >> /etc/selinux/restorecond.conf # service restorecond restart
Which will fix the label.
Magic, done and thanks. Will keep an eye on it and see if it flips back again in the next week or so.
Miroslav Grepl wrote:
Also you can fix it using restorecond service by adding
# echo "~/.recently-used.xbel" >> /etc/selinux/restorecond.conf # service restorecond restart
Which will fix the label.
To report back on this, this appears to have worked for the last 2+ weeks so I think this looks like a solution. Thanks.
selinux@lists.fedoraproject.org
-
Dominick Grift -
Miroslav Grepl -
Trevor Hemsley