Hi all, I have a question about how selinux match the parent and/or higher component path directory.
Lets say I want to relocate a service home under /mnt/. For example, I want to relocate /var/lib/libvirt under /mnt/xfs/var/lib/libvirt. I understand I can, and should, use selinux equivalency: "semanage fcontext -a -e /var/lib/libvirt /mnt/xfs/var/lib/libvirt".
So far, so good: a "restorecon -RF /mnt/xfs/var/libv/libvirt" leave the selinux labels intact.
However, the /mnt/xfs/ component path still (obviously) labeled as type mnt_t. How will selinux behave in this case? It will only match the final path component (ie: the "libvirt" dir in "/mnt/xfs/var/lib/libvirt")? Or should libvirt be enabled to read/list/execute from mnt_t also?
More broadly: a targeted selinux policy has a list of *enabled* actions, with all others automatically denied, or "extraneous" labels are just ignored?
Thanks.
Hi,
On Tue, Jan 14, 2020 at 10:27 AM Gionatan Danti g.danti@assyoma.it wrote:
Hi all, I have a question about how selinux match the parent and/or higher component path directory.
Lets say I want to relocate a service home under /mnt/. For example, I want to relocate /var/lib/libvirt under /mnt/xfs/var/lib/libvirt. I understand I can, and should, use selinux equivalency: "semanage fcontext -a -e /var/lib/libvirt /mnt/xfs/var/lib/libvirt".
So far, so good: a "restorecon -RF /mnt/xfs/var/libv/libvirt" leave the selinux labels intact.
However, the /mnt/xfs/ component path still (obviously) labeled as type mnt_t. How will selinux behave in this case? It will only match the final path component (ie: the "libvirt" dir in "/mnt/xfs/var/lib/libvirt")? Or should libvirt be enabled to read/list/execute from mnt_t also?
More broadly: a targeted selinux policy has a list of *enabled* actions, with all others automatically denied, or "extraneous" labels are just ignored?
When you access a path, you usually need only basic permissions (getattr, search, ...) for the parent components and the read/write/execute/... permissions (depending on what the service wants to do with the file) are only checked against the label of the file itself. Chances are that all/most domains already have permissions to traverse mnt_t directories, so it is likely that you won't need any additional permissions. But best to try running the service and see if you get any denials :)
On 14/01/20 10:37, Ondrej Mosnacek wrote:
Hi, When you access a path, you usually need only basic permissions (getattr, search, ...) for the parent components and the read/write/execute/... permissions (depending on what the service wants to do with the file) are only checked against the label of the file itself. Chances are that all/most domains already have permissions to traverse mnt_t directories, so it is likely that you won't need any additional permissions. But best to try running the service and see if you get any denials :)
I'll do, thanks.
As a side note, how can I check all permissions of a specific domains (ie: libvirt in this case)?
Thanks.
On Tue, Jan 14, 2020 at 11:44 AM Gionatan Danti g.danti@assyoma.it wrote:
On 14/01/20 10:37, Ondrej Mosnacek wrote:
Hi, When you access a path, you usually need only basic permissions (getattr, search, ...) for the parent components and the read/write/execute/... permissions (depending on what the service wants to do with the file) are only checked against the label of the file itself. Chances are that all/most domains already have permissions to traverse mnt_t directories, so it is likely that you won't need any additional permissions. But best to try running the service and see if you get any denials :)
I'll do, thanks.
As a side note, how can I check all permissions of a specific domains (ie: libvirt in this case)?
You can use the sesearch tool (from setools-console package). E.g.:
sesearch -A -s virtd_t
will show you all allow rules with "virtd_t" as the source type. Or:
sesearch -A -s virtd_t -t mnt_t
will show all allow rules with "virtd_t" as source type and "mnt_t" as target type. As usual, see the man page for more options.
On 14/01/20 12:52, Ondrej Mosnacek wrote:
You can use the sesearch tool (from setools-console package). E.g.:
sesearch -A -s virtd_t
will show you all allow rules with "virtd_t" as the source type. Or:
sesearch -A -s virtd_t -t mnt_t
will show all allow rules with "virtd_t" as source type and "mnt_t" as target type. As usual, see the man page for more options.
Thank you so much! Regards.
selinux@lists.fedoraproject.org
-
Gionatan Danti -
Ondrej Mosnacek