Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from the locations /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-(
Thanks a lot for he help!
-----Ursprüngliche Nachricht----- Von: selinux-bounces@lists.fedoraproject.org [mailto:selinux-bounces@lists.fedoraproject.org] Im Auftrag von selinux->request@lists.fedoraproject.org Gesendet: Dienstag, 22. Februar 2011 13:00 An: selinux@lists.fedoraproject.org Betreff: selinux Digest, Vol 84, Issue 10 4. Re: need to superseed default file context for virtualbox files but no method works (Dominick Grift)
Message: 4 Date: Mon, 21 Feb 2011 16:22:42 +0100 From: Dominick Grift domg472@gmail.com Subject: Re: need to superseed default file context for virtualbox files but no method works To: selinux@lists.fedoraproject.org Message-ID: 4D628342.8070102@gmail.com Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/21/2011 04:15 PM, Andreas Bolatzki wrote: Hello All
I am working on Fedora 13 and VirtualBox 3.2
Currently I try to apply a selinux module that has been created with ubuntu to Fedora 13. Because I believe I understand what it should do I just tried to make it run under F-13. I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
After making the vbox.pp I can load it with "semodule -I vbox.pp" and the module shows up in semodule -l correctly. The motivation to change these file-contexts is to prepare for correct type-transition rules so they match the defined rules.
Unfortunately the file-context is never set as needed and as described in the vbox.fc.
When I check .../file_contexts the correct statements are included but they happen to appear later than something that was there before... (or is there if the module is removed): # matchpathcon /usr/lib/virtualbox/ /usr/lib/virtualbox system_u:object_r:lib_t:s0 # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/ /usr/lib/virtualbox <<none>>
Next I tried to do it with semanage fcontext -t [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t /usr/lib/virtualbox/VboxManage [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file context specification. You have to restore the context after that to actually apply the specified file context.
ANDREAS: OK The problem is that something supersedes my module! ANDREAS:The restorecon does nothing first... ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL ANDREAS: [~]# chcon -t vbox_vbox_exec_t /usr/lib/virtualbox/VBoxSDL ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL ANDREAS:restorecon reset /usr/lib/virtualbox/VBoxSDL context system_u:object_r:vbox_vbox_exec_t:s0->system_u:object_r:lib_t:s0 ANDREAS: [~]# ANDREAS: --->> Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-(
Thanks a lot for the help!
I 'd expect that the lib_t is replaced by vbox_manage_exec_t. What is the problem? My understanding of what should happen might be wrong...
Thanks for your answers.
Andreas
Conftents of vbox.fc /dev/vboxdrv gen_context(system_u:object_r:vbox_run_t,s0) /dev/vboxnetctl gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/(.*) gen_context(system_u:object_r:vbox_run_t,s0) /usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:vbox_manage_exec_t,s0) /usr/lib/virtualbox/VBoxXPCOMIPCD -- gen_context(system_u:object_r:vbox_ipc_exec_t,s0) /usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSDL -- gen_context(system_u:object_r:vbox_vbox_exec_t,s0) /usr/lib/virtualbox/VBoxSVC -- gen_context(system_u:object_r:vbox_svc_exec_t,s0) HOME_DIR/.VirtualBox(/.*)? gen_context(system_u:object_r:vbox_run_t,s0)
These are specified file contexts. After loading these, you may need to apply them by running restorecon on each of the paths
selinux@lists.fedoraproject.org