How can I set label to symbolic link ?
Paul Howarth
paul at city-fan.org
Mon Apr 20 12:53:53 UTC 2009
Shintaro Fujiwara wrote:
> Here it is , sir...
>
> Well, actually I'm trying to write my segatex policy.
> /usr/bin/segatex is actually link to /usr/bin/consolehelper
>
> In my INSTALL script I declared,
> ##################################
> ln -s /usr/bin/consolehelper /usr/bin/segatex
> ##################################
>
> I've been running my program in unconfined domain for several years,
> but I want to confine it now.
> So, I tried to label segatex_exec_t to /usr/bin/segatex.
>
> Made it fine, install all-right.
>
> I could find segatex module, you know...
> But alas, I could not restorecon nor autorelabel.
>
> Why?
>
>
> # segatex executable will have:
> # label: system_u:object_r:segatex_exec_t
> # MLS sensitivity: s0
> # MCS categories: <none>
>
> /usr/bin/segatex --
> gen_context(system_u:object_r:segatex_exec_t,s0)
> /usr/share/segatex(/.*)? --
> gen_context(system_u:object_r:segatex_etc_t,s0)
You have "--" between /usr/bin/segatex and gen_context..., which means
that your context specification applies only to regular files (not
symlinks) called /usr/bin/segatex. You could use "-l" instead of "--" to
specify a symlink, or just leave that field blank to mean anything
(file, directory, socket, symlink etc.).
Paul.
More information about the fedora-selinux-list
mailing list