Hello All
I am working on Fedora 13 and VirtualBox 3.2
Currently I try to apply a selinux module that has been created with ubuntu to Fedora 13. Because I believe I understand what it should do I just tried to make it run under F-13. I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
After making the vbox.pp I can load it with "semodule -I vbox.pp" and the module shows up in semodule -l correctly. The motivation to change these file-contexts is to prepare for correct type-transition rules so they match the defined rules.
Unfortunately the file-context is never set as needed and as described in the vbox.fc.
When I check .../file_contexts the correct statements are included but they happen to appear later than something that was there before... (or is there if the module is removed): # matchpathcon /usr/lib/virtualbox/ /usr/lib/virtualbox system_u:object_r:lib_t:s0 # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/ /usr/lib/virtualbox <<none>>
Next I tried to do it with semanage fcontext -t [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t /usr/lib/virtualbox/VboxManage [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/virtualbox/VBoxManage
I 'd expect that the lib_t is replaced by vbox_manage_exec_t. What is the problem? My understanding of what should happen might be wrong...
Thanks for your answers.
Andreas
--- Conftents of vbox.fc /dev/vboxdrv gen_context(system_u:object_r:vbox_run_t,s0) /dev/vboxnetctl gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/(.*) gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:vbox_manage_exec_t,s0) /usr/lib/virtualbox/VBoxXPCOMIPCD -- gen_context(system_u:object_r:vbox_ipc_exec_t,s0) /usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSDL -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSVC -- gen_context(system_u:object_r:vbox_svc_exec_t,s0) HOME_DIR/.VirtualBox(/.*)? gen_context(system_u:object_r:vbox_run_t,s0) ---
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
Hello All
I am working on Fedora 13 and VirtualBox 3.2
Currently I try to apply a selinux module that has been created with ubuntu to Fedora 13. Because I believe I understand what it should do I just tried to make it run under F-13. I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
After making the vbox.pp I can load it with "semodule -I vbox.pp" and the module shows up in semodule -l correctly. The motivation to change these file-contexts is to prepare for correct type-transition rules so they match the defined rules.
Unfortunately the file-context is never set as needed and as described in the vbox.fc.
When I check .../file_contexts the correct statements are included but they happen to appear later than something that was there before... (or is there if the module is removed): # matchpathcon /usr/lib/virtualbox/ /usr/lib/virtualbox system_u:object_r:lib_t:s0 # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/ /usr/lib/virtualbox <<none>>
Next I tried to do it with semanage fcontext -t [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t /usr/lib/virtualbox/VboxManage [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file context specification. You have to restore the context after that to actually apply the specified file context.
I 'd expect that the lib_t is replaced by vbox_manage_exec_t. What is the problem? My understanding of what should happen might be wrong...
Thanks for your answers.
Andreas
Conftents of vbox.fc /dev/vboxdrv gen_context(system_u:object_r:vbox_run_t,s0) /dev/vboxnetctl gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/(.*) gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:vbox_manage_exec_t,s0) /usr/lib/virtualbox/VBoxXPCOMIPCD -- gen_context(system_u:object_r:vbox_ipc_exec_t,s0) /usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSDL -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSVC -- gen_context(system_u:object_r:vbox_svc_exec_t,s0) HOME_DIR/.VirtualBox(/.*)? gen_context(system_u:object_r:vbox_run_t,s0)
These are specified file contexts. After loading these, you may need to apply them by running restorecon on each of the paths
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Andreas Bolatzki -
Dominick Grift