Re: Create new types in modules?

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Paul Howarth wrote:
> Stephen Smalley wrote:
> > On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
> > > > So, my idea was to define everything under my chroot as a new type,
> > > > mock_root_t, and then have a module like this:
> > > >
> > > > module mock 0.2;
> > > >
> > > > require {
> > > >         class file execmod;
> > > >
> > > >         type unconfined_t;
> > > >         type mock_root_t;
> > > > };
> > > Move the mock_root_t type decl outside of the requires block.
> >
> > Oh, and you should really do it like this (similar to my prior
> > discussion about creating a policy module for the samba issue):
> > $ mkdir mock
> > $ cd mock
> > $ vi mock.te
> > i(nsert)
> > policy_module(mock, 0.2)
> >
> > require {
> >     type unconfined_t;
> > };
> >
> > type mock_root_t;
> > files_type(mock_root_t) # allow this type to be used for files
> > allow unconfined_t mock_root_t:file execmod;
> > :wq
> > $ touch mock.if mock.fc
> > $ make -f /usr/share/selinux/devel/Makefile
> > $ su
> > # semodule -i mock.pp
>
> Excellent - thanks.
>
> Now why isn't this doing what I expect:
>
> # semanage fcontext -a -t mock_root_t \
>     /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
> # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> drwxr-sr-x  root     mock     root:object_r:usr_t              root
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
> # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root 
> context root:object_r:usr_t->system_u:object_r:mock_root_t
> # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> drwxr-sr-x  root     mock     system_u:object_r:mock_root_t    root
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
>
> Why doesn't the directory 
> /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type 
> mock_root_t in the first place rather than having to do the restorecon 
> on it?
You need to tell mkdir which context to create it with or write a 
transition rule in policy that says when context ABC_t creates files in 
directories labeled DEF_T, create them GEH_T.

You can also look ad mkdir -Z.

> I suspect this is why Aurelien's %pre script in the awstats package 
> failed too.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list