[lmi] ZOMG selinux [Was: chroot's '/' must not have 0700 perms]

lmi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lmi] ZOMG selinux [Was: chroot's '/' must not have 0700 perms]

From:	Greg Chicares
Subject:	[lmi] ZOMG selinux [Was: chroot's '/' must not have 0700 perms]
Date:	Sat, 30 Oct 2021 22:59:25 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0

On 2/8/20 11:32 PM, Greg Chicares wrote:
> [Posted for historical reasons. The problem may already be resolved.]

To my dismay, this search:
  https://www.google.com/search?q=%22failed+to+change+to+directory+%2Ftmp%22
led to the message I'm replying to. If its author could help,
I wouldn't be searching the web.

> schroot --chroot=${CHRTNAME} --user="${NORMAL_USER}" --directory=/tmp 
> ./lmi_setup_40.sh
> + schroot --chroot=lmi_bullseye_1 --user=REDACTED_USER --directory=/tmp 
> ./lmi_setup_40.sh
> E: Failed to change to directory ‘/tmp’: Permission denied

The reason why that failed on a corporate redhat server in 2020-02 was:

> sudo ls -ld /srv/chroot/lmi_bullseye_1
> drwx------ 18 root root 4096 Feb  5 16:12 /srv/chroot/lmi_bullseye_1

...and the solution then was:

> so we want chmod 755:
> 
> $stat -c '%a %A %U %G %n' /srv/chroot/bullseye0
> 755 drwxr-xr-x root root /srv/chroot/bullseye0

Today's problem looks similar (the same 'schroot' command fails,
but the classic permissions are 777, so the cause is different:

  $ls -ld /srv/chroot/lmi_bookworm_4/tmp
  ls: cannot access /srv/chroot/lmi_bookworm_4/tmp: Permission denied

  $sudo ls -ld /srv/chroot/lmi_bookworm_4/tmp
  drwxrwxrwt. 3 root root 4096 Oct 30 11:59 /srv/chroot/lmi_bookworm_4/tmp

Examining the permissions:

  - drwxr-xr-x
  + drwxrwxrwt.

...I don't see how the 't' sticky bit could be the problem, especially
because it's set on my personal machine, where everything just works:

  $ls -ld /srv/chroot/lmi_bookworm_4/tmp      
  drwxrwxrwt 7 root root 12288 Oct 28 20:56 /srv/chroot/lmi_bookworm_4/tmp

...so that leaves the selinux '.' suffix. The selinux context is:

  $sudo ls -ldZ /srv/chroot/lmi_bookworm_4/tmp
  drwxrwxrwx. root root unconfined_u:object_r:tmp_t:s0   
/srv/chroot/lmi_bookworm_4/tmp

Vadim, can you suggest an appropriate way to address this?
I initially hoped that '/tmp' was considered exceptionally
dangerous, and using '/opt/lmi/tmp' would sidestep the
difficulty; but my normal user can't access even its own
home directory inside that chroot, so I'm wondering whether
I need to make time for a deep dive into selinux.

[Prev in Thread]

Current Thread

[Next in Thread]

[lmi] ZOMG selinux [Was: chroot's '/' must not have 0700 perms], Greg Chicares <=
- Re: [lmi] ZOMG selinux, Vadim Zeitlin, 2021/10/30
- Message not available
  - Re: [lmi] ZOMG selinux, Greg Chicares, 2021/10/30
    - Re: [lmi] ZOMG selinux, Vadim Zeitlin, 2021/10/31

Prev by Date: Re: [lmi] savannah.gnu.org certificate expiration
Next by Date: Re: [lmi] ZOMG selinux
Previous by thread: [lmi] savannah.gnu.org certificate expiration
Next by thread: Re: [lmi] ZOMG selinux
Index(es):
- Date
- Thread