[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Create new types in modules?



Paul Howarth wrote:
Stephen Smalley wrote:
On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
So, my idea was to define everything under my chroot as a new type,
mock_root_t, and then have a module like this:

module mock 0.2;

require {
        class file execmod;

        type unconfined_t;
        type mock_root_t;
};
Move the mock_root_t type decl outside of the requires block.

Oh, and you should really do it like this (similar to my prior
discussion about creating a policy module for the samba issue):
$ mkdir mock
$ cd mock
$ vi mock.te
i(nsert)
policy_module(mock, 0.2)

require {
    type unconfined_t;
};

type mock_root_t;
files_type(mock_root_t) # allow this type to be used for files
allow unconfined_t mock_root_t:file execmod;
:wq
$ touch mock.if mock.fc
$ make -f /usr/share/selinux/devel/Makefile
$ su
# semodule -i mock.pp

Excellent - thanks.

Now why isn't this doing what I expect:

# semanage fcontext -a -t mock_root_t \
    /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
# mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
# ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
drwxr-sr-x  root     mock     root:object_r:usr_t              root
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
# restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root context root:object_r:usr_t->system_u:object_r:mock_root_t
# ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
drwxr-sr-x  root     mock     system_u:object_r:mock_root_t    root
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state

Why doesn't the directory /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type mock_root_t in the first place rather than having to do the restorecon on it?

You need to tell mkdir which context to create it with or write a transition rule in policy that says when context ABC_t creates files in directories labeled DEF_T, create them GEH_T.

You can also look ad mkdir -Z.

I suspect this is why Aurelien's %pre script in the awstats package failed too.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]