-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/04/2010 09:41 PM, Dominick Grift wrote: > On 12/04/2010 09:24 PM, Jorge Fábregas wrote: >> On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote: >>> cd /etc >>> rm hosts >>> touch hosts >>> >>> ls -lZ /etc/hosts >>> (it shows etc_t as its type) >>> >>> If I do a restorecon of the hosts file I'll get the correct net_conf_t for >>> the file. > >> Ok, I kept searching... Is it because, in order for the touch command (bin_t) >> to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing >> this should have existed? If there's no rule, the default is to use the label >> of the parent directory? Made a few typo's and forgot to add some info: > > Exactly. > > so lets assume your domain type shows unconfined_t if you id -Z. You run > touch which is a helper app with type bin_t. That is a type for > executable file that are (usually) not an entry point to any domain. So > you run touch in the unconfined_u domain. unconfined_t instead of unconfined_u obviously. The unconfined_u field in a security context type is a selinux identity. In Fedora this field is only used to map compartment, sensitivities and roles to linux logins. > So you could define a file type transition: > > if unconfined_t creates a file in directories with type etc_t, then > transition from type etc_t to some specified type (net_conf_t in your > example) > > filetrans_pattern(unconfined_t, etc_t, net_conf_t, file) > > Ofcourse then all files that you create in etc_t directories get created > with that net_conf_t type. Not what you want. > > That is one reason to do a domain transition. > > For example we label touch with a new defined type. we make this type a > core command executable type of lets say touch_exec_t. Now we could > define a domain transition: Such a domain transition would look like this: domtrans_pattern(unconfined_t, touch_exec_t, touch_t) That is a simple example. With user applications like touch in our example is, i prefer to use role prefixes to let selinux know who runs touch. So that "touch policy" can be defined for particular roles. e.g. "touch policy" for the user_r role differs from "touch policy" for unconfined_r: domtrans_pattern(unconfined_t, touch_exec_t, unconfined_touch_t) vs. domtrans_pattern(user_t, touch_exec_t, user_touch_t) Then you can do: filetrans_pattern(unconfined_touch_t, etc_t, net_conf_t, file) vs. filetrans_pattern(user_touch_t, etc_t, etc_runtime_t, file e.g. when unconfined_t runs touch_exec_t and domain transitions to unconfined_touch_t, then unconfined_touch_t creates files in etc_t directories with a file transition to net_conf_t, whereas user_touch_t creates files in etc_t directories with a file transition to etc_runtime_t. > if unconfined_t runs a file with type touch_exec_t, then transition from > the type unconfined_t to some specified type (for example touch_t). > > Now you can specify a type transition for touch_t creating a file in > etc_t directories: > > filetrans_pattern(touch_t, etc_t, net_conf_t, file) > > Now when unconfined_t creates a file in etc_t directories, the file will > inherit the type of the parent directory (etc_t) > > But if touch_t creates a file in etc_t directories, the type of the file > will transition from etc_t to net_conf_t. > > Type transition is one of the most important concepts on type > enforcement. The main two types of transitions are as shown above: > > domain type transition > file type transition > > A domain type is a type of a process (subject) > A file type is a type of a file (object) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz6qyYACgkQMlxVo39jgT9NzgCeIiJ3RS9A+nLtlWCSfCy5fKud eo0An3yfaHY/azFt7f6GrUlP2UDDJhYT =R4Mx -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
