Create new types in modules?

Paul Howarth paul at city-fan.org
Thu Apr 13 13:17:23 UTC 2006


Stephen Smalley wrote:
> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
>>> So, my idea was to define everything under my chroot as a new type,
>>> mock_root_t, and then have a module like this:
>>>
>>> module mock 0.2;
>>>
>>> require {
>>>         class file execmod;
>>>
>>>         type unconfined_t;
>>>         type mock_root_t;
>>> };
>> Move the mock_root_t type decl outside of the requires block.
> 
> Oh, and you should really do it like this (similar to my prior
> discussion about creating a policy module for the samba issue):
> $ mkdir mock
> $ cd mock
> $ vi mock.te
> i(nsert)
> policy_module(mock, 0.2)
> 
> require {
> 	type unconfined_t;
> };
> 
> type mock_root_t;
> files_type(mock_root_t) # allow this type to be used for files
> allow unconfined_t mock_root_t:file execmod;
> :wq
> $ touch mock.if mock.fc
> $ make -f /usr/share/selinux/devel/Makefile
> $ su
> # semodule -i mock.pp

Excellent - thanks.

Now why isn't this doing what I expect:

# semanage fcontext -a -t mock_root_t \
	/usr/share/fsdata/mock/'[^/]*/root(/.*)?'
# mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
# ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
drwxr-sr-x  root     mock     root:object_r:usr_t              root
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
# restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root 
context root:object_r:usr_t->system_u:object_r:mock_root_t
# ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
drwxr-sr-x  root     mock     system_u:object_r:mock_root_t    root
drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state

Why doesn't the directory 
/usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type 
mock_root_t in the first place rather than having to do the restorecon 
on it?

I suspect this is why Aurelien's %pre script in the awstats package 
failed too.

Paul.




More information about the fedora-selinux-list mailing list