/var/tmp/host_0 context getting set to initrc_tmp_t
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 6 13:25:55 UTC 2008
On Thu, 2008-03-06 at 01:36 -0600, Jason L Tibbitts III wrote:
> I'm trying to track down a situation where the context of
> /var/tmp/host_0 somehow gets set to initrc_tmp_t instead of
> krb5_host_rcache_t. When this happens, I get the following denial:
> audit(1204783558.948:68): avc: denied { getattr } for pid=11121
> comm="sshd" path="/var/tmp/host_0" dev=dm-3 ino=753668
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
> and ssh gssapi authentication stops working.
>
> This machine is a kerberos slave server, and my best guess is that kpropd
> (which runs as initrc_t) is rewriting (i.e. deleting and recreating)
> that file at some point. Unfortunately I can't cause it to happen so
> I'm not sure that's what's going on.
>
> This is probably a corner case among corner cases, but has anyone seen
> anything like this?
You don't want to leave daemons running in initrc_t. So you want to put
kpropd into a domain, whether an existing one (if something similar in
purpose and required accesses exists) or a new one, and then you can
ensure that the file will get the right type when created.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list