Bug 157322
Summary: | Cannot erase /halt file | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-05-12 05:12:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-05-10 16:32:43 UTC
restorecon /halt Any idea how this got created with the wrong context? Dan What creates the halt file? halt command creates this file. The only way I can see this happening is executing the shutdown from gdm while in permissive mode. Dan It's entirely possible that I did that - I still turn off selinux all the time, since it won't let me do various things - most notably I can't attach files to mozilla, I can't run wine, and I can't run UT2003/4... ...but why does permissive mode have this effect (w/ regard to halt file?). Because there is a dontaudit rule instead of an allow, now changing it to file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file) halt and poweroff both attempt to write a flag file to / halt writes /halt and poweroff writes /poweroff The /etc/init.d/halt script then has the following command [ -f /poweroff -o ! -f /halt ] && HALTARGS="$HALTARGS -p" exec $command $HALTARGS Which either turns the poweroff on the machine or leaves it running. At least that is the way I believe it is supposed to run. rc.sysinit tries to delete these files on reboot. grep poweroff /etc/rc.d/rc.sysinit rm -f /fastboot /fsckoptions /forcefsck /.autofsck /halt /poweroff &> /dev/null We have in policy now file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) So if the halt command is run by sysadm or via an init script it should get created with the correct context. Now if another application can write to the / partition and executes halt, a file could get created with root_t. But I don not know of any. grep " root_t.*dir.*write" policy.conf allow bootloader_t root_t:dir { read getattr lock search ioctl add_name remove_name write }; allow { initrc_t sysadm_t } root_t:dir { read getattr lock search ioctl add_name remove_name write }; allow quota_t { root_t home_root_t var_t usr_t src_t var_spool_t }:dir { read getattr lock search ioctl add_name remove_name write }; dontaudit xdm_t root_t:dir { add_name write }; bootloader and quotadb both transition files to bootloader_tmp_t and quota_db_t respectively I did add file context for /poweroff and a few other files the could be created in / Closing... will reopen if I see it again. |