On 02/16/2010 11:05 AM, ESGLinux wrote: > 2010/2/16 Dominick Grift <domg472@xxxxxxxxx> > >> On 02/16/2010 09:21 AM, ESGLinux wrote: >>> Hi All, >>> >>> I´m a bit newbie with SELinux (nothing more than watch to sealert -b and >> do >>> what it says...) and now I want to learn more about it because I have a >>> problem: >>> >>> I need to set the permissions to files that are going to be created, but >>> this permissions depends on the name of the file. Is it possible? >> >> I do not believe this is possible. >> > > I thought it is the same as you can see in the > file /etc/selinux/targeted/contexts/files/file_contexts > for example > /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 > > with a pattern you assing a context. So I thought you can use this to assing > perm or modify the access to the files. > > Am I wrong? Well you can use file context specifications to restore contexts of files to the specified context but i believe this often will not work for creating files. Unless you use restorecond. Restorecond is a daemon that monitors the filesystem and restores locations to the specified contexts as soon as they are created. But to really create a file with a specified context requires a file type transitions. File type transitions depend on which process type creates which class of file object where. So any example of a type transition: if process with type bla_t creates a file in a directory with type hello_t, than type transition to type bla_hello_file_t if a process with type bla_t creates a sock_file in a directory with type hello_t, than type transition to type bla_hello_sock_file_t if a process with type bla_t creates a file in a directory with type bye_t, than type transition to type bla_bye_file_t if a process with type foo_t creates a dir in a directory wuth type hello_t, than type transition to type foo_hello_dir_t So there are possibilities but you cannot use file names to specify type transitions. You can use file names for file context specifications however but that requires that you enable and configure restorecond, and it does not actually create the objects with the specified type. The restorecond daemon just restores the context of a file to the specified context as soon as it is created. An example of restorecond is how it runs in Fedora 12 in a gnome session. (restorecond -u) > > >>> >>> by the way, any doc about SELinux for begginers? the oficial doc scares >> ;-) >> >> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/ > > > Thanks, I´m going to study this doc, > > ESG > > > > >> >>> >>> Thanks in advance, >>> >>> ESG >>> >>> >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
