Re: polyinstantiation of the /tmp dir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Clarkson, Mike R (US SSA) wrote:



-----Original Message-----
From: max [mailto:maximilianbianco@xxxxxxxxx]
Sent: Wednesday, May 14, 2008 5:26 PM
To: Clarkson, Mike R (US SSA)
Subject: Re: polyinstantiation of the /tmp dir

Clarkson, Mike R (US SSA) wrote:

I'm having a problem setting up polyinstantiation for the /tmp dir.

I'm

using RHEL5.1 and I've set it up to create instance directories

under

the /tmp-inst directory based on level when using newrole. It works,

but

the instance directory has ownership/permissions (dac permissions)

set

so that the user can not write to the polyinstantiated directory

#ls -l /tmp-inst/
total 24
drwxr-xr-x 2 root root 4096 May 14 20:17
system_u:object_r:tmp_t:s0-s4:c0.c255_clarkson
drwxr-xr-x 2 root root 4096 May 14 18:40
system_u:object_r:tmp_t:s4:c0.c255_clarkson
\

This may not matter at all but the mls field : s0-s4 seems to differ


They differ because I did two different newroles, once to the
s0-s4:c0.c255 level and another time to the s4:c0.c255 level. The
directories are polyinstantiated based on both the user, and the users
security context.


there between the two entries.

Either the directories need to be created with the user as the owner
(clarkson in this case), or the permissions need to be 777.


Also remember that Fedora, I don't know about RHEL 5.1, gives each

user

their own private group which by default includes no one else. Also

the

above seems to indicate that root owns the files, so yes i think
clarkson should be the owner, since regular users cannot read files
owned by root and are not normally in root's group either. If you see
some flaw, obvious or otherwise, in my logic then I'd appreciate a
scathing reply as I am trying to learn something here and I sincerely
appreciate being corrected.


I agree with the problem. I'm just not sure what the solution is.


Max
Thanks for clearing up that bit about the new roles. i would think changing the ownership would do the trick, unless there are other implications here because of the security context that i am not getting, your proposal of 777 on the directory seems to make sense but I was under the impression that writing files to /tmp was not an ideal solution, maybe change ownership to clarkson would be better or just creating the directory in /home/clarkson but again I am unclear as to all the implications. Anyway it would seem chmod should solve your problem by using it to give write perms to clarkson. I did find these, though i haven't had the time to review them in detail : 

http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/

http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html



Thanks for the response, Hope the links help.

Max

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux