Stephen Smalley wrote:
On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote:
Excellent - thanks.
Now why isn't this doing what I expect:
# semanage fcontext -a -t mock_root_t \
/usr/share/fsdata/mock/'[^/]*/root(/.*)?'
# mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
# ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x paul mock user_u:object_r:usr_t result
drwxr-sr-x root mock root:object_r:usr_t root
drwxrwsr-x paul mock user_u:object_r:usr_t state
# restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root
context root:object_r:usr_t->system_u:object_r:mock_root_t
# ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x paul mock user_u:object_r:usr_t result
drwxr-sr-x root mock system_u:object_r:mock_root_t root
drwxrwsr-x paul mock user_u:object_r:usr_t state
Why doesn't the directory
/usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type
mock_root_t in the first place rather than having to do the restorecon
on it?
You need to tell mkdir which context to create it with or write a
transition rule in policy that says when context ABC_t creates files in
directories labeled DEF_T, create them GEH_T.
You can also look ad mkdir -Z.
A bit of explanation: The file contexts configuration is only intended
to establish the initial state of the filesystem, for use by programs
like rpm and install, based on some external knowledge about the
security properties of files and some assumptions about secure creation
and distribution of the packages in the first place. For normal file
creation at runtime, we don't want to rely on anything path-based at all
because that doesn't tell us anything about the real security properties
of the object; we want to label the files in accordance with the
security properties of their creator, related objects (e.g. parent
directory), and the runtime kernel policy (type transition rules). So a
directory created by mkdir isn't going to automatically pick up the
context defined in file_contexts. The user can force it to that context
(if allowed to do so by policy) via mkdir -Z or by running restorecon
after the fact, but that does require explicit action by the user, and
won't be allowed under some policies.
OK, what I've got now is as follows:
mock.if:
########################################
## <summary>
## Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
')
mock.fc:
/var/lib/mock(/[^/]*)?
gen_context(system_u:object_r:mock_var_lib_t,s0)
/var/lib/mock/[^/]*/.*
gen_context(system_u:object_r:mock_root_t,s0)
mock.te:
policy_module(mock, 0.5)
require {
type unconfined_t;
};
# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)
# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })
# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;
This all seems to work very nicely, provided the module is loaded before
mock is installed so that /var/lib/mock gets created as mock_var_lib_t
Otherwise, a restorecon is needed.
Cheers, Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
