Is 'search' on home_root_t always bad?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Höger wrote:
> Hi,
> 
> currently I encounter a denial for openvpn which tries to "search"
> home_root_t. Is that generally a bad idea (and openvpn should be fixed)
> or should it be allowed?
> 
> regards
> 
> christoph

- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

home_root_t is the label of /home and potentially other parent directory
of user homedirectories.

So if I had my homedirs in /users/dwalsh /users would be labeled
home_root_t and /users/dwalsh would be labeled user_home_dir_t.


So searching of the home_root_t usually means that a domain is trying to
look at something in the home directory. If a domain has no reason to
look in the home directory, this could indicate a problem.

If I was a cracker and I broken into your machine, I would want to
attack home directories to grab secrets like stored password and credit
card data.

Now that being said, it is fairly easy to generate this type of avc.
When you start up a daemon, it often checs out it's current working
directory,  So if you su to root and then "service openvpn restart" you
could generate this avc.  Also openvpn might have a legitimate reason to
read the users homedir, and we don't allow it in policy, which could be
a bug.

Dan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeLhSYACgkQrlYvE4MpobPJyACdGB8r+kAkpdtncpn/Hvaltw8Q
N7EAoIoQPbbzcMvhFEJ6ShSrOTaCypF0
=LMrI
-----END PGP SIGNATURE-----