Bug 167507 - selinux and /srv and /var/ftp/incoming problems
selinux and /srv and /var/ftp/incoming problems
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
https://www.redhat.com/archives/fedor...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-03 13:41 EDT by Razvan Sandu
Modified: 2014-03-16 22:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-19 12:30:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Razvan Sandu 2005-09-03 13:41:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ro-RO; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

Description of problem:
Hello all,

Despite the indications given in ftpd_selinux(8) manpage and in responses to my previous post here:

https://www.redhat.com/archives/fedora-list/2005-August/msg02370.html

about /etc/selinux/targeted/contexts/files/file_contexts.local, doing a

# touch /.autorelabel; reboot
relabels

- customisable directories under /srv of type var_t instead of the manually configured ftpd_anon_rw_t;

- /var/ftp/incoming  instead of the manually configured ftpd_anon_rw_t;

This is very annoying, since any automatic relabeling will break server's functionality

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.4-10

How reproducible:
Always

Steps to Reproduce:
1. Create free-form directories under /srv (to host fileserver user data)and/or /var/ftp/incoming (to allow anonymous upload)
2. Make these directories ftpd_anon_rw_t
3. Do a touch /.autorelabel; reboot

  

Actual Results:  Directories get relabeled to types var_t (directories under /srv) and ftpd_anon_t (/var/ftp/incoming), respectively.


Expected Results:  Both should remain ftpd_anon_rw_t, in order to allow their respective functions.


Additional info:

[root@mexcentral3 ~]# ls -lZ /var/ftp
drwx------  ftp      root     system_u:object_r:ftpd_anon_t incoming


[root@mexcentral3 ~]# ls -lZ /srv
drwxrwsr-x  root     somegroup  system_u:object_r:var_t somedir

[root@mexcentral3 ~]# cat /etc/selinux/targeted/booleans.local
allow_ypbind=0
samba_enable_home_dirs=1
allow_smbd_anon_write=1
allow_ftpd_anon_write=1
ftpd_is_daemon=1

[root@mexcentral3 ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/ftp(/.*)? system_u:object_r:ftpd_anon_t /var/ftp/incoming(/.*)? system_u:object_r:ftpd_anon_rw_t
Comment 1 Daniel Walsh 2005-09-19 11:37:04 EDT
This is a bug in initscripts which is calling fixfiles with the -F flag, which
tells it to ignore customizable types.  It should just call
fixfiles restore
like it does in rawhide.

You should not need to relable unless you reboot without an SELinux kernel.  If
you are seeing a labeling problem you can usually clean it up with restorecon or
fixfiles without needing to touch /.autorelabel and rebooting.

Dan
Comment 2 Bill Nottingham 2005-09-19 12:30:42 EDT
Closing as fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.