file contexts labelling - possible bug?
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 16 19:15:57 UTC 2009
On 11/13/2009 07:32 PM, Matthew Ife wrote:
> This might just be me being daft in some sense but I have come across
> the following situation and was hoping someone could shed light on it.
>
> Part of setting up kerberos involves creating a principal database with
> the kdb5_util command.
>
> When you setup the database (typically as unconfined_t on a default
> installation) it puts various files in;
> /var/kerberos/krb5kdc
> of which include the principal database itself and various controls such
> as a lock file.
>
> This folder gets the context krb5kdc_conf_t and a few file contexts
> exist in the fcontext database to manage the additional creation of
> files in side, one of which is the principal.ok file which is used as a
> lock file.
>
> When creating the lock file with the command above it should get the
> label (according to fcontexts) of krb5kdc_lock_t as a regex exists such
> as:
> /var/kerberos/krb5kdc/principal.*\.ok system_u:object_r:krb5kdc_lock_t
>
> But, the file gets the parent directory context of conf_t. Likewise,
> removing the lock file manually and touching the file again also
> demonstrates the same behavior. If you then run restorecon/fixfiles on
> the directory it will correctly reset the file to the right location.
>
> I've checked with strace to see if something strange happens (if the
> principal.ok file gets created as a temp name then moved) but there is
> no such behaviour. Thus I'm stuck in understanding whats going on. Why
> does default filesystem labelling give the file conf_t and restorecon
> give it the (correct) lock_t?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
I wrote a blog a long time ago explaining how files get their labels.
http://danwalsh.livejournal.com/2639.html
The problem here is that kdb5_util would need to have SELinux awareness in order to create the
files with the correct context. Kerberos libraries have this awareness built into them in Fedora,
but I guess this tool does not.
You should open a bugzilla on it.
More information about the fedora-selinux-list
mailing list