Stephen Smalley wrote:
On Wed, 2006-03-29 at 13:39 +0100, Paul Howarth wrote:
On my FC4 system, I created a file
/etc/selinux/targeted/contexts/files/file_contexts.local that contained
the following lines:
/srv/backup(/.*)? system_u:object_r:ftpd_anon_rw_t
/srv/softlib(/.*)? system_u:object_r:ftpd_anon_rw_t
This was to ensure that that files created in these areas got the right
context, and that it would survive a relabel. Having since learned about
customizable types, I probably didn't need to do that in this case, but
the principle applies anyway.
My understanding is that in FC5, the equivalent thing to do for this
would be to use semanage to add additional fcontext objects. Is that
right (I think the semanage manpage could do with an example or two btw,
hint, hint)?
Funny you should ask. See
http://marc.theaimsgroup.com/?l=selinux&m=114358806507499&w=2
Ah, good :-)
My first question is: if I use semanage, is there a convenient way to
check, on a running system, which objects are there as part of the base
policy and which have been added later, like a file context equivalent
of "semodule -l"?
Hmm...doesn't look like semanage presently has an option that invokes
just the xxx_list_local() interface of libsemanage versus the xxx_list()
interface. Seems like a good idea.
My second question is: I have lots of log messages like this:
Mar 26 04:24:39 badby kernel: inode_doinit_with_dentry:
context_to_sid(system_u:object_r:ftpd_anon_rw_t) returned 22 for
dev=sdb6 ino=96769
Suggests that the type is no longer defined, which seems a bit
surprising. Usually we add a type alias to keep it valid across
updates.
/srv/backup(/.*)? system_u:object_r:public_content_rw_t:s0
/srv/softlib(/.*)? system_u:object_r:public_content_rw_t:s0
or even deleting it entirely and doing the equivalent with semanage.
When I do one of these things, when will it take effect? Will I need to
reboot, or rebuild policy somehow?
file_contexts.local will still be read by libselinux (matchpathcon), so
it can still be used, but using semanage is likely the better way
forward. Once you've run the semanage command, it should rebuild and
push out an updated file_contexts file with your additions included, and
then any subsequent runs of restorecon/setfiles/... will make use of
those definitions.
Right, I moved the existing
/etc/selinux/targeted/contexts/files/file_contexts.local out of the way
and did:
# semanage fcontext -a -t public_content_rw_t '/srv/backup(/.*)?'
# semanage fcontext -a -t public_content_rw_t '/srv/softlib(/.*)?'
This then created a new
/etc/selinux/targeted/contexts/files/file_contexts.local, which contained:
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/srv/backup(/.*)? system_u:object_r:public_content_rw_t:s0
/srv/softlib(/.*)? system_u:object_r:public_content_rw_t:s0
So it seems that I can identify local changes by looking in the file
(pretty much as before really, except that the file is created using
semanage rather than vi).
One last thing: is it possible to add multiple objects in a single
semanage call? I ask because each one takes a while to run (to do the
rebuild), and I can imagine that in an RPM package where there might be
lots of calls to semanage being made in a %post scriptlet, it would be
better to add all the objects at once and only do a single rebuild.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
