danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
I relabeled but SELinux is still blocked.
danwalsh
I have been travelling all over Europe last week and this, talking about SELinux,  

But a couple of times the last week the question came up about why doesn't touch /.autorelabel; reboot  fix the labels on all files on the machine.

Certain directories on the machine have a file context of <<none>> in the /etc/selinux/POLICYTYPE/contexts/file_contexts file.
This tells the tool that files  could be labeled anything in this directory so tools like restorecon, setfiles, fixfiles just leave the contents alone.

If you grep the file

# grep -i None /etc/selinux/targeted/contexts/files/file_contexts | wc -l
34

You will see 34 matches.  Most of these are lost+found directories , spool directories, /var/run and tmp directories.

The one that usually causes problems though is /tmp.  As Iblogged before System tools should never use this directory, but sadly some still do.    If a confined domain tries to access a mislabeled file in /tmp and gets an access denied, a relabel of the file system will not help.

We used to remove the contents of /tmp when a user touch /.autorelabe; reboot, but this was considered too dangerous.  Some users consider /tmp more permanant then others.  Personally I always run my system with a tmpfs file system on /tmp, that way all the garbage gets removed on reboot.   Easiest thing to do when you see one of these AVC's on /tmp is just to remove the files from /tmp and restart the service.  For example if I had a problem with xdm accessing some mislabeled files in /tmp,  I would

# rm -rf /tmp/.??* /tmp/*
Then restart my gdm service

If people have a better idea for solving this problem, I am all ears.

I wonder if we could just create a permanent /var/tmpfs like /dev/shm or /selinux where things like daemons and such stuck their non-permanent crap in. It might also be easier to write an over-arching policy for things like ssh, gdm, ICE, etc could stick things in...

How about we start using tmpfs?

mount tmpfs /tmp -t tmpfs -o rootcontext=system_u:object_r:tmp_t:s0

works great!

visit http://moslemonthewar.livejournal.com to find out how to protect yourself from the cia

You are viewing danwalsh