-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/04/2010 09:24 PM, Jorge Fábregas wrote: > On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote: >> cd /etc >> rm hosts >> touch hosts >> >> ls -lZ /etc/hosts >> (it shows etc_t as its type) >> >> If I do a restorecon of the hosts file I'll get the correct net_conf_t for >> the file. > > Ok, I kept searching... Is it because, in order for the touch command (bin_t) > to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing > this should have existed? If there's no rule, the default is to use the label > of the parent directory? > Exactly. so lets assume your domain type shows unconfined_t if you id -Z. You run touch which is a helper app with type bin_t. That is a type for executable file that are (usually) not an entry point to any domain. So you run touch in the unconfined_u domain. So you could define a file type transition: if unconfined_t creates a file in directories with type etc_t, then transition from type etc_t to some specified type (net_conf_t in your example) filetrans_pattern(unconfined_t, etc_t, net_conf_t, file) Ofcourse then all files that you create in etc_t directories get created with that net_conf_t type. Not what you want. That is one reason to do a domain transition. For example we label touch with a new defined type. we make this type a core command executable type of lets say touch_exec_t. Now we could define a domain transition: if unconfined_t runs a file with type touch_exec_t, then transition from the type unconfined_t to some specified type (for example touch_t). Now you can specify a type transition for touch_t creating a file in etc_t directories: filetrans_pattern(touch_t, etc_t, net_conf_t, file) Now when unconfined_t creates a file in etc_t directories, the file will inherit the type of the parent directory (etc_t) But if touch_t creates a file in etc_t directories, the type of the file will transition from etc_t to net_conf_t. Type transition is one of the most important concepts on type enforcement. The main two types of transitions are as shown above: domain type transition file type transition A domain type is a type of a process (subject) A file type is a type of a file (object) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz6p4MACgkQMlxVo39jgT8RdgCgijA9qlOfODsig5HWzOOoF/gL i9UAoNFoFmtABpeMQ8bpseYc8CA2ORxD =QVSO -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
