To learn about selinux, I am trying to create a policy that would assign the file /etc/xyz the type tuned_log_t.
I have:
===begin xyz.te========================================================= policy_module(xyz, 1.0.0) ===end xyz.te===========================================================
===begin xyz.fc========================================================= /etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0) ===end xyz.fc===========================================================
Then I execute:
# rm -f /etc/xyz # make -f /usr/share/selinux/devel/Makefile xyz.pp Compiling targeted xyz module /usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/xyz.mod Creating targeted xyz.pp policy package rm tmp/xyz.mod.fc tmp/xyz.mod # semodule -i xyz.pp # touch /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz # restorecon /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz
Why is /etc/xyz not getting the correct type immediately as the policy would dictate?
Marko
On 06/10/2015 08:52 AM, Marko Rauhamaa wrote:
To learn about selinux, I am trying to create a policy that would assign the file /etc/xyz the type tuned_log_t.
I have:
===begin xyz.te========================================================= policy_module(xyz, 1.0.0) ===end xyz.te===========================================================
===begin xyz.fc========================================================= /etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0) ===end xyz.fc===========================================================
Then I execute:
# rm -f /etc/xyz # make -f /usr/share/selinux/devel/Makefile xyz.pp Compiling targeted xyz module /usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/xyz.mod Creating targeted xyz.pp policy package rm tmp/xyz.mod.fc tmp/xyz.mod # semodule -i xyz.pp # touch /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz # restorecon /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz
Why is /etc/xyz not getting the correct type immediately as the policy would dictate?
I'm not even close to an SELinux amateur, so beware of my advice, but...
My understanding is that, when run, "restorecon" uses the contents of the ".fc" (file context) files to determine the contexts of directories and files.
When a file or directory is created at *run-time*, it assumes the security context of its parent directory by default. This behavior can be modified at run-time with the "type_transition" statement. The contents of the ".fc" files are *not* consulted at run-time.
During RPM installation, the "rpm" process does use the ".fc" files to determine the security contexts given to files.
-- Steve Ross
Marko
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You'll need to run restorecon.
On Wed, Jun 10, 2015 at 9:21 AM, Steve Ross sross@trustedcs.com wrote:
On 06/10/2015 08:52 AM, Marko Rauhamaa wrote:
To learn about selinux, I am trying to create a policy that would assign the file /etc/xyz the type tuned_log_t.
I have:
===begin xyz.te========================================================= policy_module(xyz, 1.0.0) ===end xyz.te===========================================================
===begin xyz.fc========================================================= /etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0) ===end xyz.fc===========================================================
Then I execute:
# rm -f /etc/xyz # make -f /usr/share/selinux/devel/Makefile xyz.pp Compiling targeted xyz module /usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/xyz.mod Creating targeted xyz.pp policy package rm tmp/xyz.mod.fc tmp/xyz.mod # semodule -i xyz.pp # touch /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz # restorecon /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz
Why is /etc/xyz not getting the correct type immediately as the policy would dictate?
I'm not even close to an SELinux amateur, so beware of my advice, but...
My understanding is that, when run, "restorecon" uses the contents of the ".fc" (file context) files to determine the contexts of directories and files.
When a file or directory is created at *run-time*, it assumes the security context of its parent directory by default. This behavior can be modified at run-time with the "type_transition" statement. The contents of the ".fc" files are *not* consulted at run-time.
During RPM installation, the "rpm" process does use the ".fc" files to determine the security contexts given to files.
-- Steve Ross
Marko
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org