SElinux concerning symlink?

Thu Jul 24 10:16:11 UTC 2008

Mike wrote:
> Tim <ignored_mailbox <at> yahoo.com.au> writes:
> 
>> I would imagine that the SELinux contexts are wrong.  They're applied to
>> expected filepaths (home space contexts for the usual /home/username/
>> filepaths), I imagine that they won't get applied across symlinks, as
>> it'd be too easy for someone to symlink non-public system stuff into the
>> middle of a public area, to try and access it.
> 
> Thanks Tim - in fact logging in on the laptop itself is fine - the problem
> occurs when logging in via ssh from another machine.
> 
> I checked the selinux contexts with ls -Z and the contexts of 
> /opt/Local/home are different to those of the symlink at /home

how, exactly?
These are the labels on my system (using ls -Z):
/home/*         system_u:object_r:user_home_dir_t:s0
/home/USER/*    system_u:object_r:user_home_t:s0
/home           system_u:object_r:home_root_t:s0

whereas files in /opt/local seem to get labelled like this:

/opt/local/*    unconfined_u:object_r:usr_t:s0
or this         system_u:object_r:usr_t:s0

(depends on how they were created IIRC)

have you tried relabelling the homedirs and their contents in 
/opt/local/home appropriately?

> Yes the user area is then (via the symlink) /home/username and as I said
> works fine for login on the machine itself.
> 
> I tried changing the context of the symlink using chcon but it would not
> allow me to change the link (as root) - however I have also read that for
> some circumstances it may be necessary to use the "newrole" command as 
> root - but I am groping in the dark with this as I am not knowledgeable
> about when this is appropriate.

what did you try to change it to?

did you try chcon on the files in /opt
(the following is by no means complete) -

chcon -t home_root_t /opt/local/home
chcon -t home_dir_t /opt/local/home/*
chcon -R -t user_home_t /opt/local/home/USER/*

for starters.

when you ssh in, are you sure it's an selinux problem?

for more useful messages, try this:

1. yum install setroubleshoot
2. service setroubleshoot start

3. then ssh in

4. look in /var/log/messages on your machine for lines containing 'sealert'
(or just run sealert -b if you have a graphical desktop)

5. see if there are complaints about mislabelled files/dirs.

6. let us know what the error messages are. We can be of more help that 
way. Everything we do at the moment is little more than educated guesswork.

> Do you know of any links to a "getting started understanding SELinux"
> type of guide?

The Red Hat SELinux guide might be helpful.

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html

as might the various docs here:

http://fedoraproject.org/wiki/SELinux

> The contexts for the files in the non-root partition appear to be set OK

what are they set to?

ls -Z /opt/local/home/*

> and it looks like it is the symlink that is causing the problem. So far I
> can use the applications as normal (i.e. as before) apart from this one
> problem.

> I have yet to explore whether there will be problems with dovecot if
> the mail area is symlinked (again normal previous practice for me with
> SELinux disabled previously)

symlinked from where? /opt again?

Stuart
-- 
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.