On Wed, Nov 11, 2009 at 12:09:14PM +0000, Moray Henderson (ICT) wrote: > Dominick Wrote: > >Now we have restorecond -u running and it can be a pain. especially for > >people that write their own custom modules. > > > >for example i have a backup script that can write anywhere in > >user_home_t. be it ~ or ~/Downloads. > > > >It write the backups with a special type, But restorecond -u resets it > >to user_home_t even before its finished writing ;) > > > >Here comes customizable_types in. This can be used to add the type to it > >so that restorecond -u doesnt try to reset it. > > > >Thats cool, but what if you update your selinux policy? will > >customizable_types be overwritten? Maybe it would be good to have a > >customizable_types.local so that you can add your customizable types > >there and not have to worry about policy updates or restorecond -u. > > > >What do you think about this idea? > > I remember how I discovered customizable_types in the first place - I wanted files to be reset from their old setting to the new one, and the command that was supposed to do it updated every file except the ones I particularly needed. I had set everything correctly in file_contexts - then eventually discovered that there was *another* file that told the system to disregard file_contexts for certain file contexts. I remember thinking - WHY? Isn't file_contexts supposed to be the place where you configure file contexts? > > Call me old-fashioned, but as a solution for your problem, I would recommend adding file context instructions to your policy so that restorecond sets your backup files to the correct context. > > Adding a new customizable file may sound like a neat solution, but in practice it would mean that someone trying to debug "Why doesn't this file have the right context?" now has to know about three different places that the problem might be coming from. I can also use this argument to my advantage: What if i have a policy that allows some domain to manage a file in user_home_t with its own type (example blah_home_t). I start the confined domain and notice that any file created by it has user_home_t (instead of blah_home_t), whilst i implicitly defined a type transition. I would expect the file to have the type that i defined and not user_home_t. That is confusing as well. > > By the way, I also agree with Matthew Ife's thread from last month about the need for good, practical documentation on how to use SELinux in real system administration rather than conceptual theory. It's especially important for those who learned the theory under an older version, but need to do things with the new. I had such a struggle with customizable_types because it wasn't there in RHEL 4. > > > Moray. > "To err is human. To purr, feline" > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgp5qTS7nBVM8.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list