How can I set label to symbolic link ?
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Mon Apr 20 13:23:22 UTC 2009
OK, actually I copied it from acct.fc which is the front runner of
policy in admin.
I've been reluctant to consult any SELinux book, you know...
I will fix this and hopefully I can write a good policy with the help
from my friends...
THKS!
2009/4/20 Paul Howarth <paul at city-fan.org>:
> Shintaro Fujiwara wrote:
>>
>> Here it is , sir...
>>
>> Well, actually I'm trying to write my segatex policy.
>> /usr/bin/segatex is actually link to /usr/bin/consolehelper
>>
>> In my INSTALL script I declared,
>> ##################################
>> ln -s /usr/bin/consolehelper /usr/bin/segatex
>> ##################################
>>
>> I've been running my program in unconfined domain for several years,
>> but I want to confine it now.
>> So, I tried to label segatex_exec_t to /usr/bin/segatex.
>>
>> Made it fine, install all-right.
>>
>> I could find segatex module, you know...
>> But alas, I could not restorecon nor autorelabel.
>>
>> Why?
>>
>>
>> # segatex executable will have:
>> # label: system_u:object_r:segatex_exec_t
>> # MLS sensitivity: s0
>> # MCS categories: <none>
>>
>> /usr/bin/segatex --
>> gen_context(system_u:object_r:segatex_exec_t,s0)
>> /usr/share/segatex(/.*)? --
>> gen_context(system_u:object_r:segatex_etc_t,s0)
>
> You have "--" between /usr/bin/segatex and gen_context..., which means that
> your context specification applies only to regular files (not symlinks)
> called /usr/bin/segatex. You could use "-l" instead of "--" to specify a
> symlink, or just leave that field blank to mean anything (file, directory,
> socket, symlink etc.).
>
> Paul.
>
>
--
http://intrajp.no-ip.com/ Home Page
More information about the fedora-selinux-list
mailing list