Your message dated Mon, 05 Jan 2009 15:40:11 -0600
with message-id <[email protected]>
and subject line Re: Bug#510125: Sorry, please close the bug.
has caused the Debian Bug report #510125,
regarding semanage generates crap into contexts/files/file_contexts.homedirs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
510125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510125
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: policycoreutils
Version: 2.0.49-6
Severity: important
Subject: policycoreutils: semanage generates crap into
contexts/files/file_contexts.homedirs
Package: policycoreutils
Version: 2.0.49-6
Severity: important
I have these file contexts in /var directory after doing fixfiles relabel / :
drwxr-xr-x 15 root root system_u:object_r:home_root_t:s0 4096 Dec 29 13:35 .
drwxr-xr-x 21 root root system_u:object_r:root_t:s0 4096 Dec 29 14:21
..
drwxr-xr-x 2 root root user_u:object_r:user_home_dir_t:s0 4096 May 7 2008
backups
drwxr-xr-x 7 root root user_u:object_r:user_home_dir_t:s0 4096 Dec 29 14:17
cache
drwxr-xr-x 25 root root user_u:object_r:user_home_dir_t:s0 4096 Dec 29 14:17
lib
drwxrwsr-x 2 root staff user_u:object_r:user_home_dir_t:s0 4096 Mar 11 2008
local
drwxrwxrwt 2 root root user_u:object_r:user_home_dir_t:s0 4096 Dec 29 18:14
lock
drwxr-xr-x 6 root root system_u:object_r:var_log_t:s0 4096 Dec 29 18:19
log
drwx------ 2 root root system_u:object_r:lost_found_t:s0 16384 May 5 2008
lost+found
drwxrwsr-x 2 root mail user_u:object_r:user_home_dir_t:s0 4096 May 5 2008
mail
drwxr-xr-x 2 root root user_u:object_r:user_home_dir_t:s0 4096 May 5 2008
opt
drwxr-xr-x 2 root qmail system_u:object_r:home_root_t:s0 4096 Dec 29 13:38
qmail
drwxr-xr-x 7 root root system_u:object_r:var_run_t:s0 4096 Dec 29 18:14
run
drwxr-xr-x 5 root root user_u:object_r:user_home_dir_t:s0 4096 Dec 29 14:17
spool
drwxrwxrwt 3 root root system_u:object_r:tmp_t:s0 4096 Dec 29 18:06
tmp
And here, what is re-generated in contexts/files/file_contexts.homedirs every
time SE-user list is modified with "semanage user" command: <<CUT
#
#
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context
#
#
#
# Home Context for user user_u
#
/home/[^/]*/.+ user_u:object_r:user_home_t:s0
/home/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
/home/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
/home/[^/]* -d user_u:object_r:user_home_dir_t:s0
/home/lost\+found/.* <<none>>
/home -d system_u:object_r:home_root_t:s0
/home/\.journal <<none>>
/home/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user user_u
#
/var/[^/]*/.+ user_u:object_r:user_home_t:s0
/var/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
/var/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
/var/[^/]* -d user_u:object_r:user_home_dir_t:s0
/var/lost\+found/.* <<none>>
/var -d system_u:object_r:home_root_t:s0
/var/\.journal <<none>>
/var/lost\+found -d system_u:object_r:lost_found_t:s0
#
# Home Context for user user_u
#
/var/qmail/[^/]*/.+ user_u:object_r:user_home_t:s0
/var/qmail/[^/]*/\.ssh(/.*)? user_u:object_r:user_home_ssh_t:s0
/var/qmail/[^/]*/\.gnupg(/.+)? user_u:object_r:user_gpg_secret_t:s0
/var/qmail/[^/]* -d user_u:object_r:user_home_dir_t:s0
/var/qmail/lost\+found/.* <<none>>
/var/qmail -d system_u:object_r:home_root_t:s0
/var/qmail/\.journal <<none>>
/var/qmail/lost\+found -d system_u:object_r:lost_found_t:s0
/tmp/gconfd-.* -d user_u:object_r:user_tmp_t:s0
#
# Home Context for user root
#
/root/.+ root:object_r:sysadm_home_t:s0
/root/\.ssh(/.*)? root:object_r:sysadm_home_ssh_t:s0
/root/\.gnupg(/.+)? root:object_r:sysadm_gpg_secret_t:s0
/root -d root:object_r:sysadm_home_dir_t:s0
/tmp/gconfd-root -d root:object_r:sysadm_tmp_t:s0
CUT
Needless to say, this configuration renders machine unusable when in
enforcing mode. I don't know the source of such interesting behaviour,
but believe that bug is somewhere in semanage.
Interesting, when there was unconfined se-module loaded there were
unconfined_u instead of user_u as the second and third "users" in this file.
I don't know why this happens, and fixed this only by hand-editing files
$POLICY/contexts/files/file_contexts.homedirs and
$POLICY/modules/active/file_contexts.homedirs
by removing invalid entries (mentioning /var).
-- semanage user -l
root sysadm s0 s0-s0:c0.c1023 staff_r
sysadm_r system_r
staff_u staff s0 s0-s0:c0.c1023 staff_r
sysadm_r
sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u unconfined s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 user_r
-- semanage login -l
__default__ user_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
-- semodule -l
dhcp 1.6.0
dmidecode 1.3.0
gpg 1.6.0
mysql 1.8.0
netutils 1.6.0
ssh 1.10.1
sudo 1.3.0
tcpd 1.3.0
tzdata 1.2.0
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages policycoreutils depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libsemanage1 2.0.25-2 shared libraries used by SELinux p
ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib
ii python 2.5.2-3 An interactive high-level object-o
ii python-selinux 2.0.65-5 Python bindings to SELinux shared
ii python-semanage 2.0.25-2 Python bindings for SELinux polic
ii python-sepolgen 1.0.11-5 A Python module used in SELinux po
Versions of packages policycoreutils recommends:
ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of th
policycoreutils suggests no packages.
-- no debconf information
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages policycoreutils depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libsemanage1 2.0.25-2 shared libraries used by SELinux p
ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib
ii python 2.5.2-3 An interactive high-level object-o
ii python-selinux 2.0.65-5 Python bindings to SELinux shared
ii python-semanage 2.0.25-2 Python bindings for SELinux polic
ii python-sepolgen 1.0.11-5 A Python module used in SELinux po
Versions of packages policycoreutils recommends:
ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of th
policycoreutils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Mon, Dec 29 2008, [email protected] wrote:
> People, please close the bug.
> I was able to investigate it further and found, that
> installed qmail package triggered libsemanage to generate
> homedir contexts for qmail users as for ordinary users.
>
> I have filed another bugreport and now on libsemanage (with a patch),
> see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510134
>
> Sorry and please close this bug.
>
> Thanks.
Yeah. I had already determined that this was genhomedircon, but
I had not delved further in. Thanks for the analysis.
manoj
--
Which is worse: ignorance or apathy? Who knows? Who cares?
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--- End Message ---
