When a file gets created, it gets a label based on some mysterious distro policy ("antivirus_db_t"). I define a specific custom policy that should give the file a different label (say, "bin_t").
What ends up happening is that no matter how I *create* the file, it always gets "antivirus_db_t" as its label. However, if I run restorecon on the file, the label changes to "bin_t".
How can this symptom be explained?
Marko
On Fri, Jun 7, 2019 at 8:45 AM Marko Rauhamaa marko@pacujo.net wrote:
When a file gets created, it gets a label based on some mysterious distro policy ("antivirus_db_t").
A newly-created file will inherit the file context of its parent directory unless there is a specific policy that sets a different context. See:
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
Here's an example:
$ sesearch --type_trans --source unconfined_t --default httpd_user_content_t type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t "public_html"; type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t "web"; type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t "www";
In other words, if a process running in unconfined_t creates a directory named any of (public_html, web, www) that would otherwise have the user_home_dir_t context (typically, because it inherited that context from the containing directory), instead create the directory with the httpd_user_content_t context.
I define a specific custom policy that should give the file a different label (say, "bin_t").
File context? Or transition context?
What ends up happening is that no matter how I *create* the file, it always gets "antivirus_db_t" as its label. However, if I run restorecon on the file, the label changes to "bin_t".
How can this symptom be explained?
You have probably specified a file context rule that conflicts with the context specified by a creation policy or file name transition.
When a file is created, the creation/transition policy applies; when a file is relabeled, the file context policy applies. If they don't agree, you see exactly the behavior you're describing: a file is created with one context, but running "restorecon" changes it to a different context.
In your case, if you want to see all transitions to the antivirus_db_t context, run:
$ sesearch --type_trans --default antivirus_db_t
I'm betting you'll see there's an explicit transition context that applies to the specific file you're creating.
James Ralston ralston@pobox.com:
On Fri, Jun 7, 2019 at 8:45 AM Marko Rauhamaa marko@pacujo.net wrote:
When a file gets created, it gets a label based on some mysterious distro policy ("antivirus_db_t").
A newly-created file will inherit the file context of its parent directory unless there is a specific policy that sets a different context. See:
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
Thanks for answering.
I define a specific custom policy that should give the file a different label (say, "bin_t").
File context? Or transition context?
.fc
What ends up happening is that no matter how I *create* the file, it always gets "antivirus_db_t" as its label. However, if I run restorecon on the file, the label changes to "bin_t".
How can this symptom be explained?
You have probably specified a file context rule that conflicts with the context specified by a creation policy or file name transition.
When a file is created, the creation/transition policy applies; when a file is relabeled, the file context policy applies. If they don't agree, you see exactly the behavior you're describing: a file is created with one context, but running "restorecon" changes it to a different context.
In your case, if you want to see all transitions to the antivirus_db_t context, run:
$ sesearch --type_trans --default antivirus_db_t
I'm betting you'll see there's an explicit transition context that applies to the specific file you're creating.
No doubt. I'll have to check it when I get back to the office.
More interestingly, how do I override the distro transition rule so that the file context rule takes precedence?
Based on some extensive googling, I gather I will need an
file_type_auto_trans
declaration. Even some more digging makes me guess this directive needs to go in a .te file although it would be nice to find a direct answer in the documentation.
I don't suppose it's possible to write an all-encompassing transition rule that forces the label of a file regardless of the context of the creator. So I will need to experimentally chart all the legitimate ways how the file can come about and write transition rules for all valid transitions.
Marko
On Fri, Jun 7, 2019 at 5:26 PM Marko Rauhamaa marko@pacujo.net wrote:
More interestingly, how do I override the distro transition rule so that the file context rule takes precedence?
You don’t.
When a file is created, the creation/transition policy applies; when you run restorecon on a file, the file context policy applies.
Based on some extensive googling, I gather I will need an
file_type_auto_trans
declaration. Even some more digging makes me guess this directive needs to go in a .te file although it would be nice to find a direct answer in the documentation.
You can look at the reference policy in Github to see how to write type transitions.
But it’s probably not going to help you here. Unlike file contexts, type transitions are exact, and cannot conflict. If your custom module contains a file transitions that conflicts with a preexisting transition, SELinux will refuse to load your module. See:
https://selinuxproject.org/page/NB_Domain_and_Object_Transitions
If you think your distro’s file transitions are too zealous, and are transitioning new files to the antivirus_db_t context that aren’t actually antivirus database files, then you should file a bug report against the distro and get the problem fixed in the upstream policy.
James Ralston ralston@pobox.com:
On Fri, Jun 7, 2019 at 5:26 PM Marko Rauhamaa marko@pacujo.net wrote:
More interestingly, how do I override the distro transition rule so that the file context rule takes precedence?
You don’t.
When a file is created, the creation/transition policy applies; when you run restorecon on a file, the file context policy applies.
That's what I decided to do: run restorecon right after creating the file. Problem solved, and the admin likely won't inadvertently relabel the file.
Based on some extensive googling, I gather I will need an
file_type_auto_trans
declaration. Even some more digging makes me guess this directive needs to go in a .te file although it would be nice to find a direct answer in the documentation.
You can look at the reference policy in Github to see how to write type transitions.
But it’s probably not going to help you here. Unlike file contexts, type transitions are exact, and cannot conflict. If your custom module contains a file transitions that conflicts with a preexisting transition, SELinux will refuse to load your module. See:
https://selinuxproject.org/page/NB_Domain_and_Object_Transitions
Thanks. Unfortunately, I'd need some sort of a Fedora SELinux policy tutorial to make use of that document.
If you think your distro’s file transitions are too zealous, and are transitioning new files to the antivirus_db_t context that aren’t actually antivirus database files, then you should file a bug report against the distro and get the problem fixed in the upstream policy.
Fedora can't possibly know what 3rd-party files are for so I suppose any out-of-the-box label is bound to be just a guess.
Now if only I as the application developer knew what the right label were supposed to be...
Marko
selinux@lists.fedoraproject.org