lmi
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lmi] ZOMG selinux

From: Greg Chicares
Subject: Re: [lmi] ZOMG selinux
Date: Sun, 31 Oct 2021 00:21:02 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 
On 10/30/21 11:34 PM, Vadim Zeitlin wrote:
> On Sat, 30 Oct 2021 22:59:25 +0000 Greg Chicares <gchicares@sbcglobal.net> 
> wrote:
> 
> GC> On 2/8/20 11:32 PM, Greg Chicares wrote:
[...]
> GC> Today's problem looks similar (the same 'schroot' command fails,
> GC> but the classic permissions are 777, so the cause is different:
> GC> 
> GC>   $ls -ld /srv/chroot/lmi_bookworm_4/tmp
> GC>   ls: cannot access /srv/chroot/lmi_bookworm_4/tmp: Permission denied
> GC> 
> GC>   $sudo ls -ld /srv/chroot/lmi_bookworm_4/tmp
> GC>   drwxrwxrwt. 3 root root 4096 Oct 30 11:59 /srv/chroot/lmi_bookworm_4/tmp
> 
>  Sorry for a stupid question, but have you checked the permissions on the
> intermediate directories, i.e. /src/chroot and /src/chroot/lmi_bookworm_4
> (the standard /srv permissions should be open enough to allow access to its
> subdirectories)?

[redacted to hide our real user names]

/home/GREG[0]$sudo su -
Last login: [REDACTED]
/root[0]#ls -ldZ /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0       /srv
/root[0]#ls -ldZ /srv/chroot
drwxr-xr-x. root root system_u:object_r:var_t:s0       /srv/chroot
/root[0]#ls -ldZ /srv/chroot/lmi_b*
drwxrwx---. root root unconfined_u:object_r:var_t:s0   
/srv/chroot/lmi_bookworm_4
drwxrwxr-x. root root unconfined_u:object_r:var_t:s0   
/srv/chroot/lmi_bullseye_3

The older "bullseye_3" chroot works; the "bookworm_4" one doesn't.
I can remove that '---' vs. 'r-x' difference. Both normal users are
members of an 'lmi' group, but neither belongs to the 'root' group,
so we'd only have '---' permissions to the chroot's '/'.

> GC> [...] The selinux context is:
> GC> 
> GC>   $sudo ls -ldZ /srv/chroot/lmi_bookworm_4/tmp
> GC>   drwxrwxrwx. root root unconfined_u:object_r:tmp_t:s0   
> /srv/chroot/lmi_bookworm_4/tmp
> GC> 
> GC> Vadim, can you suggest an appropriate way to address this?
> 
>  Right now I can't, sorry. I don't know much about SELinux and from what
> little I know it looks like it shouldn't be disallowing access to this
> directory based on the context shown above. But I could well be wrong
> because I really don't know enough about it. I'd still like to ask, just in
> case, about the output of "id -Z" command for your normal user and for the
> SELinux context of some directory you do have access to, e.g. /srv itself.
> What does it look like and does it differ from the context for this one?

/root[1]#id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
/root[0]#exit
/home/GREG[0]$id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

AFAICT, that's expected: even when I become root, selinux knows
who I really am.

/home/GREG[0]$ls -lZ /srv/chroot/lmi_b*
ls: cannot open directory /srv/chroot/lmi_bookworm_4: Permission denied
/srv/chroot/lmi_bullseye_3:
lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0   bin -> usr/bin
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   boot
[...snip many similar entries...]
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0   opt

[becoming root again...]

/root[0]#ls -ldZ /srv/chroot/lmi_b**/opt/lmi
drwxrws---. GREG lmi unconfined_u:object_r:var_t:s0   
/srv/chroot/lmi_bookworm_4/opt/lmi
drwxrwsr-x. KIM  lmi unconfined_u:object_r:var_t:s0   
/srv/chroot/lmi_bullseye_3/opt/lmi

Both users are member of the 'lmi' group, and the selinux contexts
are the same, so I should think we'd have 'rwx' access to '/opt/lmi/'
in both chroots. But tomorrow I'll try liberalizing the classic *nix
permissions for the "bookworm" chroot.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]