First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict:
/sbin/.* all files system_u:object_r:bin_t:s0
and
/sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one:
ls -lZ /sbin/mount.mymounter
lrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
Thanks again, -Tim
Timothy Renner wrote:
First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict:
/sbin/.* all files system_u:object_r:bin_t:s0
and/sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one:
ls -lZ /sbin/mount.mymounter
lrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter
I tried this on Fedora Rawhide and it worked. I also have your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" after adding the rule?
I don't know how this works for symbolic links. You might have to add a rule (and run restorecon) for /myproject/sbin/mymounter
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
Thanks again, -Tim
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, 28 Oct 2008 08:13:06 +1000 Murray McAllister mmcallis@redhat.com wrote:
Timothy Renner wrote:
First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict:
/sbin/.* all files system_u:object_r:bin_t:s0
and/sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one:
ls -lZ /sbin/mount.mymounter
lrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter
I tried this on Fedora Rawhide and it worked. I also have your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" after adding the rule?
I don't know how this works for symbolic links. You might have to add a rule (and run restorecon) for /myproject/sbin/mymounter
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
Regular files, directories, sockets, symlinks etc. can all have different contexts for the same path specification. So specifying the type for regular files won't have any effect on symlinks. For how to specify contexts for different file types using semanage, see the "--ftype" option in the manpage for semanage.
Regarding how contexts are matched, I asked about it a long while ago and wrote down a summary of what I was told here:
http://www.city-fan.org/tips/SeLinuxQuickRef
See "File Contexts Sort Ordering" at the bottom of the page.
Paul.
On Mon, Oct 27, 2008 at 14:34:40 -0700, Timothy Renner timothy.renner@gmail.com wrote:
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
The patterns are only used when relabelling. When files are created there is a default context based on the domain of the process and the context of the directory the file is being created in. Applications can also create files with specific contexts.
I don't remember the relabelling priority. It is probably either the first matching rule or the last matching rule as deciding which is more specific is hard in general and that route probably wasn't chosen.
On Mon, 2008-10-27 at 14:34 -0700, Timothy Renner wrote:
First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict:
/sbin/.* all files system_u:object_r:bin_t:s0
and/sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one:
ls -lZ /sbin/mount.mymounter
lrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
You don't want that context on the symlink but on the file it references. So specify the path of the referenced file, not the symlink, in your module's .fc file.
selinux@lists.fedoraproject.org
-
Bruno Wolff III -
Murray McAllister -
Paul Howarth -
Stephen Smalley -
Timothy Renner