-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/2010 07:00 AM, Dominick Grift wrote: > On 12/28/2010 11:29 PM, Vadym Chepkov wrote: > >>>>>>> >>>>>>> P.S. On related note, how do $HOME files get their labeling? >>>> >>>> It depends, When all is right then files in Home get created with the >>>> proper contexts by means of "type transitions" basically rules. >>>> >>>> example: >>>> >>>> if a process with type pyzor_t creates a file in a directory with type >>>> user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t. >>>> >>>> But in gnome-session there is also restorecond -u watching contexts in home. >>>> >>>> Basically it compares contexts in home with whats defined in semanage >>>> fcontext (or homedir.template) and resets contexts accordingly. (this is >>>> some hack to ensure that user home dir content is labelled properly) >>> >>> That was my question, how do you define it in semanage fcontext? >>> I see explicit references to /root/ home, but what about users home? >>> Some sort of keyword/macro? > > >> I can see this in pyzor.fc > >> HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) >> HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) > > >> But you won't find anything like this in semanage fcontext -l output. A bug? > > No, home directory contexts are handled a bit different. theres a file > in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with > home directory contexts instead which gets recreated each time you build > the policy. i think its a relic of the past when we used user role > prefix to prefix our user home types. Nowadays its useful for user based > access control i guess. > > >>>> >>>>>>> # semanage fcontext -l|grep pyzor >>>>>>> has reference only to >>>>>>> /root/\.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0 >>>>>>> >>>>>>> but, directory gets proper labeling: >>>>>>> >>>>>>> # ls -dZ /home/vchepkov/.pyzor >>>>>>> drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor >>>>>>> > > > Razor and pyzor policies should be back into Fedora with the next policy update-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEUEARECAAYFAk0iPNwACgkQrlYvE4MpobNEpwCbB6PpVH92/BleVMbChfZP+MLC sMYAljvnXDO0RtjuR3ygkNTeoQ6Nfqk= =k1VI -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
