home dir issues w/ latest policy

Bob Kashani bobk at ocf.berkeley.edu
Sat Jun 11 06:18:40 UTC 2005 

On Sat, 2005-06-11 at 01:20 -0400, Ivan Gyurdiev wrote:
> On Fri, 2005-06-10 at 21:09 -0700, Bob Kashani wrote:
> > On Fri, 2005-06-10 at 19:51 -0400, Ivan Gyurdiev wrote:
> > > On Fri, 2005-06-10 at 19:46 -0400, Ivan Gyurdiev wrote:
> > > > > [medieval at chaucer ~]$ touch tmpfile
> > > > > [medieval at chaucer ~]$ ls -Z tmpfile
> > > > > -rw-rw-r--  medieval medieval user_u:object_r:user_home_t      tmpfile
> > > > 
> > > > The user is user_u, but the type is user_home_t. This is normal.
> > > 
> > > Unless you have a user defined in /etc/selinux/targeted/*.users, 
> > > in which case make sure the policy upgrade didn't replace any of 
> > > those files, and erase your user.
> > 
> > Thanks Ivan for the info. For some reason everything in my home dir was
> > labeled as system_u and so I thought maybe something was up. :)
> 
> That's odd...for a home directory I would have expected user_u.
> However, I haven't ran targeted policy in ages...
> The user part of the context just represents the SElinux user
> that created the file, and I don't think it's actually used
> for anything important...at least not for files on disk.

On my rawhide install everything is user_u but in FC3 it was system_u. I
changed things to user_u just for good measure. :)

> > Now for the problem that I'm having:
> > 
> > Jun 10 20:57:47 chaucer kernel: audit(1118462267.758:0): avc:  denied
> > { execmod } for  pid=20348 comm=lt-glib-genmars
> > path=/mnt/hdb1/home/gnome/garnome-2.11-20050610.1755/platform/glib/work/main.d/glib-2.6.4/glib/.libs/libglib-2.0.so.0.600.4 dev=hdb1 ino=4407601 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file
> 
> Looks like text relocations in the library. Try to find out how to get
> rid of them (readelf -d <path-to-lib> |grep TEXTREL)
> 
> > When I try to compile garnome in my home dir I get the above avc and the
> > build stops. Do you know what has changed in the most recent policy
> > update that would cause this?
> 
> No...I'm sorry, I only follow strict policy.

Well, I used audit2allow and it said I needed:

allow unconfined_t user_home_t:file execmod;

So I added it to the Shared Library section
of /etc/selinux/targeted/src/policy/domains/unconfined.te

And things seem to work. :) Is this correct?

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list