Re: razor policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
> 
>>>>>>
>>>>>> P.S. On related note, how do $HOME files get their labeling?
>>>
>>> It depends, When all is right then files in Home get created with the
>>> proper contexts by means of "type transitions" basically rules.
>>>
>>> example:
>>>
>>> if a process with type pyzor_t creates a file in a directory with type
>>> user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
>>>
>>> But in gnome-session there is also restorecond -u watching contexts in home.
>>>
>>> Basically it compares contexts in home with whats defined in semanage
>>> fcontext (or homedir.template) and resets contexts accordingly. (this is
>>> some hack to ensure that user home dir content is labelled properly)
>>
>> That was my question, how do you define it in semanage fcontext?
>> I see explicit references to /root/ home, but what about users home? 
>> Some sort of keyword/macro?
> 
> 
> I can see this in pyzor.fc
> 
> HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
> HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
> 
> 
> But you won't find anything like this in semanage fcontext -l output. A bug?

No, home directory contexts are handled a bit different. theres a file
in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with
home directory contexts instead which gets recreated each time you build
the policy. i think its a relic of the past when we used user role
prefix to prefix our user home types. Nowadays its useful for user based
access control i guess.

> 
>>>
>>>>>> # semanage fcontext -l|grep pyzor
>>>>>> has reference only to 
>>>>>> /root/\.pyzor(/.*)?                                all files          system_u:object_r:pyzor_home_t:s0 
>>>>>>
>>>>>> but, directory gets proper labeling:
>>>>>>
>>>>>> # ls -dZ /home/vchepkov/.pyzor
>>>>>> drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
>>>>>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0bItsACgkQMlxVo39jgT+lqQCfUAqcVLBaHYhwjTf1KtPcd7p6
TEIAoL6IAzWx6/BhVEjIWbb6hnKh2qNZ
=rpyZ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux