polyinstantiation of the /tmp dir
max
maximilianbianco at gmail.com
Thu May 15 01:37:15 UTC 2008
Clarkson, Mike R (US SSA) wrote:
>
>> -----Original Message-----
>> From: max [mailto:maximilianbianco at gmail.com]
>> Sent: Wednesday, May 14, 2008 5:26 PM
>> To: Clarkson, Mike R (US SSA)
>> Subject: Re: polyinstantiation of the /tmp dir
>>
>> Clarkson, Mike R (US SSA) wrote:
>>> I'm having a problem setting up polyinstantiation for the /tmp dir.
> I'm
>>> using RHEL5.1 and I've set it up to create instance directories
> under
>>> the /tmp-inst directory based on level when using newrole. It works,
> but
>>> the instance directory has ownership/permissions (dac permissions)
> set
>>> so that the user can not write to the polyinstantiated directory
>>>
>>> #ls -l /tmp-inst/
>>> total 24
>>> drwxr-xr-x 2 root root 4096 May 14 20:17
>>> system_u:object_r:tmp_t:s0-s4:c0.c255_clarkson
>>> drwxr-xr-x 2 root root 4096 May 14 18:40
>>> system_u:object_r:tmp_t:s4:c0.c255_clarkson
>>> \
>> This may not matter at all but the mls field : s0-s4 seems to differ
>
> They differ because I did two different newroles, once to the
> s0-s4:c0.c255 level and another time to the s4:c0.c255 level. The
> directories are polyinstantiated based on both the user, and the users
> security context.
>
>> there between the two entries.
>>> Either the directories need to be created with the user as the owner
>>> (clarkson in this case), or the permissions need to be 777.
>>>
>> Also remember that Fedora, I don't know about RHEL 5.1, gives each
> user
>> their own private group which by default includes no one else. Also
> the
>> above seems to indicate that root owns the files, so yes i think
>> clarkson should be the owner, since regular users cannot read files
>> owned by root and are not normally in root's group either. If you see
>> some flaw, obvious or otherwise, in my logic then I'd appreciate a
>> scathing reply as I am trying to learn something here and I sincerely
>> appreciate being corrected.
>
> I agree with the problem. I'm just not sure what the solution is.
>
>> Max
Thanks for clearing up that bit about the new roles. i would think
changing the ownership would do the trick, unless there are other
implications here because of the security context that i am not getting,
your proposal of 777 on the directory seems to make sense but I was
under the impression that writing files to /tmp was not an ideal
solution, maybe change ownership to clarkson would be better or just
creating the directory in /home/clarkson but again I am unclear as to
all the implications. Anyway it would seem chmod should solve your
problem by using it to give write perms to clarkson. I did find these,
though i haven't had the time to review them in detail :
http://www.ibm.com/developerworks/linux/library/l-polyinstantiation/
http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
Thanks for the response, Hope the links help.
Max
More information about the fedora-list
mailing list