Re: SElinux concerning symlink?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike wrote:
Tim <ignored_mailbox <at> yahoo.com.au> writes:

I would imagine that the SELinux contexts are wrong.  They're applied to
expected filepaths (home space contexts for the usual /home/username/
filepaths), I imagine that they won't get applied across symlinks, as
it'd be too easy for someone to symlink non-public system stuff into the
middle of a public area, to try and access it.

Thanks Tim - in fact logging in on the laptop itself is fine - the problem
occurs when logging in via ssh from another machine.

I checked the selinux contexts with ls -Z and the contexts of /opt/Local/home are different to those of the symlink at /home

how, exactly?
These are the labels on my system (using ls -Z):
/home/*         system_u:object_r:user_home_dir_t:s0
/home/USER/*    system_u:object_r:user_home_t:s0
/home           system_u:object_r:home_root_t:s0

whereas files in /opt/local seem to get labelled like this:

/opt/local/*    unconfined_u:object_r:usr_t:s0
or this         system_u:object_r:usr_t:s0

(depends on how they were created IIRC)


have you tried relabelling the homedirs and their contents in /opt/local/home appropriately?

Yes the user area is then (via the symlink) /home/username and as I said
works fine for login on the machine itself.

I tried changing the context of the symlink using chcon but it would not
allow me to change the link (as root) - however I have also read that for
some circumstances it may be necessary to use the "newrole" command as root - but I am groping in the dark with this as I am not knowledgeable
about when this is appropriate.

what did you try to change it to?

did you try chcon on the files in /opt
(the following is by no means complete) -

chcon -t home_root_t /opt/local/home
chcon -t home_dir_t /opt/local/home/*
chcon -R -t user_home_t /opt/local/home/USER/*

for starters.


when you ssh in, are you sure it's an selinux problem?

for more useful messages, try this:

1. yum install setroubleshoot
2. service setroubleshoot start

3. then ssh in

4. look in /var/log/messages on your machine for lines containing 'sealert'
(or just run sealert -b if you have a graphical desktop)

5. see if there are complaints about mislabelled files/dirs.

6. let us know what the error messages are. We can be of more help that way. Everything we do at the moment is little more than educated guesswork.


Do you know of any links to a "getting started understanding SELinux"
type of guide?

The Red Hat SELinux guide might be helpful.

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html

as might the various docs here:

http://fedoraproject.org/wiki/SELinux

The contexts for the files in the non-root partition appear to be set OK

what are they set to?

ls -Z /opt/local/home/*

and it looks like it is the symlink that is causing the problem. So far I
can use the applications as normal (i.e. as before) apart from this one
problem.

I have yet to explore whether there will be problems with dovecot if
the mail area is symlinked (again normal previous practice for me with
SELinux disabled previously)

symlinked from where? /opt again?

Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux