[mdlug] [WLUG] SELinux permissions
John Wiersba
jrw32982 at yahoo.com
Wed Jan 16 23:26:15 EST 2013
The filesystem in question is afs. For somereason afs doesn't use the normal getfacl utilities but uses fs instead. I'm investigating the output of fs now...
>________________________________
> From: John Wiersba <jrw32982 at yahoo.com>
>To: "linux-users at lugwash.org" <linux-users at lugwash.org>
>Cc: "mdlug at mdlug.org" <mdlug at mdlug.org>
>Sent: Wednesday, January 16, 2013 10:50 PM
>Subject: Re: [WLUG] SELinux permissions
>
>From what I've read in the manpage for ls, the "." (dot) at the end of the
>permissions means selinux.
>
>getfacl foo
># file: foo
># owner: otheruser
>#
>group: users
>user::rwx
>group::---
>other::---
>
>But yet, I can create a
>subdirectory a couple levels down underneath this directory foo. There must
>be something other than the permissions coming into play, since the
>permissions are 700.
>
>
>
>
>
>>________________________________
>> From: "Budde,
>Josh" <jbudde at med.umich.edu>
>>To: "<linux-users at lugwash.org>"
><linux-users at lugwash.org>
>>Cc: "mdlug at mdlug.org" <mdlug at mdlug.org>
>>Sent:
>Wednesday, January 16, 2013 10:40 PM
>>Subject: Re: [WLUG] SELinux permissions
>>
>>Doesn't sound like selinux-sounds like filesystem ACLs. Try running
>getfacl
>>foo and seeing what it says
>>
>>Josh
>>
>>On Jan 16, 2013, at 10:37 PM,
>John Wiersba <jrw32982 at yahoo.com>
>>wrote:
>>
>>> Can someone please explain a
>little bit about selinux?
>>>
>>> I see a directory foo
>>> with permissions
>drwx------. (note the trailing dot) owned by another user,
>>> with a security
>context of (ls -lZ) system_u:object_r:nfs_t:s0. My user
>>runs
>>> as security
>context (id -Z)
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.
>>>
>>> For some reason I
>>> don't understand, even though permissions are 700 on
>the directory foo, I
>>can
>>> still create a subdirectory bar under it.
>However, I cannot remove the
>>> subdirectory bar once it has been created. It
>appears that my user has
>>> somehow been granted permissions to create an
>object under this directory
>>foo
>>> but not the permissions to remove an
>object from it, even one that I own.
>>And
>>> all that even though permissions
>are 700 with the directory foo being owned
>>by
>>> another user.
>>>
>>> Is there
>any way to understand that based on what is visible to
>>> me as a user (not a
>sysadmin)?
>>> --
>>> *** Sent from linux-users at lugwash.org ***
>http://www.lugwash.org
>>> to unsubscribe: `echo "unsubscribe" | mail
>linux-users-request at lugwash.org`
>>
>>**********************************************************
>>Electronic Mail
>is not secure, may not be read every day, and should not be
>>used for urgent
>or sensitive issues
>>--
>>*** Sent from linux-users at lugwash.org ***
>http://www.lugwash.org
>>to unsubscribe: `echo "unsubscribe" | mail
>linux-users-request at lugwash.org`
>--
>*** Sent from linux-users at lugwash.org *** http://www.lugwash.org
>to unsubscribe: `echo "unsubscribe" | mail linux-users-request at lugwash.org`
>
>
>
More information about the mdlug
mailing list