files contexts override via policy module

Laurent Jacquot <jk@xxxxxxxxx> · Tue, 20 Nov 2007 14:31:06 +0100

Hello,
I am sure this is a FAQ or a feature, but I want to know how to work
around:

I have cxoffice installed in my F8 home dir and I want some lib labeled
as textrel_shlib_t, but I cannot override the default user_home_t home
label via a policy module. 

NOTE1 it works if the directory is not under /home
NOTE2 there is nothing in the logs if it fails
NOTE3 It has been so since the introduction of modular policy in selinux

What is what I have tried so far in F8.
[root@jack sel]#cat local.fc
#cxoffice
#/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
system_u:object_r:textrel_shlib_t:s0

/home/alex/cxoffice/lib/wine/kernel32.dll.so --
system_u:object_r:textrel_shlib_t:s0

[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
[root@jack sel]#semodule -i local.pp
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x  alex alex
system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x  alex alex
system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so

(If i use the system-config-selinux UI, I can see the new entry in the
tab context among all the regexp)

Using semanage, it works:
[root@jack sel]#semodule -r local
[root@jack sel]#semanage fcontext -a -t
textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x  alex alex
system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x  alex alex
system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so

and the custom rule appears in system-config-selinux UI at the end of
the policy.

So how do I have my module install my contexts the same way as semanage?
Should I bugzilla it?

BTW, how do system-config-selinux browse the file context policy? Is it
possible to see also the rules and type definition?

TIA
        jk

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list