Clarkson, Mike R (US SSA) wrote:
-----Original Message-----
From: max [mailto:maximilianbianco@xxxxxxxxx]
Sent: Wednesday, May 14, 2008 5:26 PM
To: Clarkson, Mike R (US SSA)
Subject: Re: polyinstantiation of the /tmp dir
Clarkson, Mike R (US SSA) wrote:
I'm having a problem setting up polyinstantiation for the /tmp dir.
I'm
using RHEL5.1 and I've set it up to create instance directories
under
the /tmp-inst directory based on level when using newrole. It works,
but
the instance directory has ownership/permissions (dac permissions)
set
so that the user can not write to the polyinstantiated directory
#ls -l /tmp-inst/
total 24
drwxr-xr-x 2 root root 4096 May 14 20:17
system_u:object_r:tmp_t:s0-s4:c0.c255_clarkson
drwxr-xr-x 2 root root 4096 May 14 18:40
system_u:object_r:tmp_t:s4:c0.c255_clarkson
\
This may not matter at all but the mls field : s0-s4 seems to differ
They differ because I did two different newroles, once to the
s0-s4:c0.c255 level and another time to the s4:c0.c255 level. The
directories are polyinstantiated based on both the user, and the users
security context.
there between the two entries.
Either the directories need to be created with the user as the owner
(clarkson in this case), or the permissions need to be 777.
Also remember that Fedora, I don't know about RHEL 5.1, gives each
user
their own private group which by default includes no one else. Also
the
above seems to indicate that root owns the files, so yes i think
clarkson should be the owner, since regular users cannot read files
owned by root and are not normally in root's group either. If you see
some flaw, obvious or otherwise, in my logic then I'd appreciate a
scathing reply as I am trying to learn something here and I sincerely
appreciate being corrected.
I agree with the problem. I'm just not sure what the solution is.
Max
Thanks for clearing up that bit about the new roles. i would think
changing the ownership would do the trick, unless there are other
implications here because of the security context that i am not getting,
your proposal of 777 on the directory seems to make sense but I was
under the impression that writing files to /tmp was not an ideal
solution, maybe change ownership to clarkson would be better or just
creating the directory in /home/clarkson but again I am unclear as to
all the implications. Anyway it would seem chmod should solve your
problem by using it to give write perms to clarkson. I did find these,
though i haven't had the time to review them in detail :
http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/
http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
Thanks for the response, Hope the links help.
Max
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list