-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Laurent Jacquot wrote: >>> Hello, >>> I am sure this is a FAQ or a feature, but I want to know how to work >>> around: >>> >>> I have cxoffice installed in my F8 home dir and I want some lib labeled >>> as textrel_shlib_t, but I cannot override the default user_home_t home >>> label via a policy module. >>> >>> NOTE1 it works if the directory is not under /home >>> NOTE2 there is nothing in the logs if it fails >>> NOTE3 It has been so since the introduction of modular policy in selinux >>> >>> What is what I have tried so far in F8. >>> [root@jack sel]#cat local.fc >>> #cxoffice >>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> /home/alex/cxoffice/lib/wine/kernel32.dll.so -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc >>> [root@jack sel]#semodule -i local.pp >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> >>> (If i use the system-config-selinux UI, I can see the new entry in the >>> tab context among all the regexp) >>> >>> Using semanage, it works: >>> [root@jack sel]#semodule -r local >>> [root@jack sel]#semanage fcontext -a -t >>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> and the custom rule appears in system-config-selinux UI at the end of >>> the policy. >>> >>> So how do I have my module install my contexts the same way as semanage? >>> Should I bugzilla it? >>> >>> BTW, how do system-config-selinux browse the file context policy? Is it >>> possible to see also the rules and type definition? >>> >>> TIA >>> jk >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> This looks like a bug in libsemanage or in the file context labeling >> algorithm. >> >> I believe matchpatcon is reading in file_contexts, >> file_contexts.homedirs, file_contexts.local and taking the last entry. >> >> >> So using semodule to add a pp file updates the file_contexts file, in >> which case the homedirs is overriding. semanage fcontext updates the >> file_contexts.local. >> >> >> If you tried >> >> HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- >> system_u:object_r:textrel_shlib_t:s0 >> >> It should update the file_context.homedirs file. >> >> > I confirm this works. Thanks! > Should I bugzilla it or is it the way it should be? > > jk > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can bugzilla it, but it probably should be brought up for discussion on the <selinux@xxxxxxxxxxxxx> list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS 8zDcYbim3RQLRTEHILlfEtw= =LxQ0 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
