On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote: > > Excellent - thanks. > > > > Now why isn't this doing what I expect: > > > > # semanage fcontext -a -t mock_root_t \ > > /usr/share/fsdata/mock/'[^/]*/root(/.*)?' > > # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > > drwxrwsr-x paul mock user_u:object_r:usr_t result > > drwxr-sr-x root mock root:object_r:usr_t root > > drwxrwsr-x paul mock user_u:object_r:usr_t state > > # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > context root:object_r:usr_t->system_u:object_r:mock_root_t > > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > > drwxrwsr-x paul mock user_u:object_r:usr_t result > > drwxr-sr-x root mock system_u:object_r:mock_root_t root > > drwxrwsr-x paul mock user_u:object_r:usr_t state > > > > Why doesn't the directory > > /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type > > mock_root_t in the first place rather than having to do the restorecon > > on it? > > > You need to tell mkdir which context to create it with or write a > transition rule in policy that says when context ABC_t creates files in > directories labeled DEF_T, create them GEH_T. > > You can also look ad mkdir -Z. A bit of explanation: The file contexts configuration is only intended to establish the initial state of the filesystem, for use by programs like rpm and install, based on some external knowledge about the security properties of files and some assumptions about secure creation and distribution of the packages in the first place. For normal file creation at runtime, we don't want to rely on anything path-based at all because that doesn't tell us anything about the real security properties of the object; we want to label the files in accordance with the security properties of their creator, related objects (e.g. parent directory), and the runtime kernel policy (type transition rules). So a directory created by mkdir isn't going to automatically pick up the context defined in file_contexts. The user can force it to that context (if allowed to do so by policy) via mkdir -Z or by running restorecon after the fact, but that does require explicit action by the user, and won't be allowed under some policies. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
