I am running fedora 30 with an encrypted homedir using ecryptfs, and selinux set to enforcing. Most of it works just fine out of the box, but I do keep getting some AVC denial errors once in a while. Most of those are related to my homedir. I'll pick out one that seems to be caused by a cronjob that runs I think every 4 days? Not 100% sure about the frequency though.
That task runs in source context system_mail_t
and gets denied access to mktemp
a directory in context ecryptfs_t
. So I think that the cronjob is trying to mail something and make a directory in the process in my homedir.
In regular unencrypted homedirs, the context of the homedir is user_home_t
. So I am guessing, that process is allowed to mktemp
in user_home_t
but not in ecryptfs_t
, hence the error.
So my question is: the decrypted/mounted homedir, what should its file context be? user_home_t
or ecryptfs_t
? Maybe my filecontext is wrong? I can change it but don't want to do so if that isn't what it is supposed to be. I could potentially also add a policy that allows programs of system_mail_t
to mktemp
on ecryptfs_t
. But there are more processes that get denials, so fixing all of those would take some time.
Automating the fix with audit2allow
and ausearch
doesn't work, because the mktemp
command creates a different directory every time, so all audit2allow does is allow that specific directory. But next time the temp dir name is different again :)
这是错误的故障排除日志的示例:
SELinux is preventing mktemp from create access on the directory z2Th7jL2.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mktemp should be allowed create access on the z2Th7jL2 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mktemp' --raw | audit2allow -M my-mktemp
# semodule -X 300 -i my-mktemp.pp
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:ecryptfs_t:s0
Target Objects z2Th7jL2 [ dir ]
Source mktemp
Source Path mktemp
Port <Unknown>
Host matebook-x-pro
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name matebook-x-pro
Platform Linux matebook-x-pro 5.2.11-200.fc30.x86_64 #1 SMP
Thu Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count 51
First Seen 2019-08-18 18:00:02 PST
Last Seen 2019-09-12 12:00:02 PST
Local ID 2bca5b1b-847e-4c8c-b79b-65cb0549ada5
Raw Audit Messages
type=AVC msg=audit(1568260802.570:397): avc: denied { create } for pid=14209 comm="mktemp" name="z2Th7jL2" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=dir permissive=0
Hash: mktemp,system_mail_t,ecryptfs_t,dir,create
```selinux