SELinux sets wrong context by default

[Whity]

Hi,

Had a strange behavior of SELinux some days ago and started to have a closer look at it today. If i create a new file or directory it sets the wrong user context.
Had it on two servers i have tested, and then deployed a base install from my template within VMware, where i had the same behavior.

Maybe better to provide an example how to reproduce it.

My System:
CentOS 6.6

Code: Select all

# rpm -qa | grep selinux
libselinux-ruby-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
libselinux-utils-2.0.94-5.8.el6.x86_64

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Steps to reproduce:

Go to a directory with known context set file_contexts, in my case /var/spool/mail/
Context: /var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0

Create a file:

Code: Select all

# touch newfile
# ls -lZ newfile 
-rw-r--r--. root root unconfined_u:object_r:mail_spool_t:s0 newfile

Wrong, should be "system_u:object_r:mail_spool_t"

Compare the current context with the default one it should have:

Code: Select all

# matchpathcon -V newfile 
newfile has context unconfined_u:object_r:mail_spool_t:s0, should be <<none>>

Wrong, should show the correct context instead of "<<none>>"

Restore the context of the file:

Code: Select all

# restorecon -v newfile 
# ls -lZ newfile 
-rw-r--r--. root root unconfined_u:object_r:mail_spool_t:s0 newfile

Nothing has changed

Force the restore of the context:

Code: Select all

# restorecon -v -F newfile
restorecon reset /var/spool/mail/newfile context unconfined_u:object_r:mail_spool_t:s0->system_u:object_r:mail_spool_t:s0

# ls -lZ newfile 
-rw-r--r--. root root system_u:object_r:mail_spool_t:s0 newfile

The context changed to correct one, but only when forcing it..

Content of "/etc/selinux/targeted/contexts/customizable_types":

Code: Select all

sandbox_file_t
svirt_image_t
svirt_sandbox_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_content_ra_t
httpd_user_content_rw_t
httpd_user_content_t
git_session_content_t
home_bin_t

So, it shouldn't be ignored, or is there any other file which may prevents the context from changing without forcing it?

If i change the user and type context to something wrong, it restores the type, but not the user context (without forcing it):

Code: Select all

# chcon -u unconfined_u -t admin_home_t newfile

# restorecon -v newfile 
restorecon reset /var/spool/mail/newfile context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:mail_spool_t:s0

Any ideas what that could be?

Thanks,
Urs

[Whity]

OK, think i know where it comes from. Compared the contexts of the processes between two very similar servers running the same applications, but one of those makes problems.

Works fine:

Code: Select all

system_u:system_r:initrc_t:s0    1639 ?        00:00:04 courierlogger
system_u:system_r:initrc_t:s0    1640 ?        00:00:06 couriertcpd
system_u:system_r:initrc_t:s0   43579 ?        00:00:00 imapd
system_u:system_r:initrc_t:s0   43581 ?        00:00:00 couriertls

Doesn't work:

Code: Select all

unconfined_u:system_r:initrc_t:s0 15862 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 15863 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 42875 ?      00:00:00 imapd
unconfined_u:system_r:initrc_t:s0 43207 ?      00:00:00 couriertls

So, the processes are running under the wrong context.

[TrevorH]

Your command prompt is unconfined so when you touch a file then it gets created with that.