Create new types in modules?
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 14 12:54:11 UTC 2006
Paul Howarth wrote:
> Stephen Smalley wrote:
>> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
>>>> So, my idea was to define everything under my chroot as a new type,
>>>> mock_root_t, and then have a module like this:
>>>>
>>>> module mock 0.2;
>>>>
>>>> require {
>>>> class file execmod;
>>>>
>>>> type unconfined_t;
>>>> type mock_root_t;
>>>> };
>>> Move the mock_root_t type decl outside of the requires block.
>>
>> Oh, and you should really do it like this (similar to my prior
>> discussion about creating a policy module for the samba issue):
>> $ mkdir mock
>> $ cd mock
>> $ vi mock.te
>> i(nsert)
>> policy_module(mock, 0.2)
>>
>> require {
>> type unconfined_t;
>> };
>>
>> type mock_root_t;
>> files_type(mock_root_t) # allow this type to be used for files
>> allow unconfined_t mock_root_t:file execmod;
>> :wq
>> $ touch mock.if mock.fc
>> $ make -f /usr/share/selinux/devel/Makefile
>> $ su
>> # semodule -i mock.pp
>
> Excellent - thanks.
>
> Now why isn't this doing what I expect:
>
> # semanage fcontext -a -t mock_root_t \
> /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
> # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x paul mock user_u:object_r:usr_t result
> drwxr-sr-x root mock root:object_r:usr_t root
> drwxrwsr-x paul mock user_u:object_r:usr_t state
> # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> context root:object_r:usr_t->system_u:object_r:mock_root_t
> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x paul mock user_u:object_r:usr_t result
> drwxr-sr-x root mock system_u:object_r:mock_root_t root
> drwxrwsr-x paul mock user_u:object_r:usr_t state
>
> Why doesn't the directory
> /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type
> mock_root_t in the first place rather than having to do the restorecon
> on it?
>
You need to tell mkdir which context to create it with or write a
transition rule in policy that says when context ABC_t creates files in
directories labeled DEF_T, create them GEH_T.
You can also look ad mkdir -Z.
> I suspect this is why Aurelien's %pre script in the awstats package
> failed too.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list