-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 04:15 PM, Andreas Bolatzki wrote: > Hello All > > I am working on Fedora 13 and VirtualBox 3.2 > > Currently I try to apply a selinux module that has been created with > ubuntu to Fedora 13. Because I believe I understand what it should do I > just tried to make it run under F-13. > I have three files: vbox.te, vbox.if, vbox.fc to create a policy module. > > After making the vbox.pp I can load it with "semodule -I vbox.pp" and > the module shows up in semodule -l correctly. > The motivation to change these file-contexts is to prepare for correct > type-transition rules so they match the defined rules. > > Unfortunately the file-context is never set as needed and as described > in the vbox.fc. > > When I check .../file_contexts the correct statements are included but > they happen to appear later than something that was there before... (or > is there if the module is removed): > # matchpathcon /usr/lib/virtualbox/ > /usr/lib/virtualbox system_u:object_r:lib_t:s0 > # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/ > /usr/lib/virtualbox <<none>> > > Next I tried to do it with semanage fcontext -t > [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t > /usr/lib/virtualbox/VboxManage > [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage > -rwxr-xr-x. root root system_u:object_r:lib_t:s0 > /usr/lib/virtualbox/VBoxManage That semanage command above only adds a new file context specification. You have to restore the context after that to actually apply the specified file context. > > I 'd expect that the lib_t is replaced by vbox_manage_exec_t. > What is the problem? My understanding of what should happen might be > wrong... > > Thanks for your answers. > > Andreas > > --- > Conftents of vbox.fc > /dev/vboxdrv > gen_context(system_u:object_r:vbox_run_t,s0) > /dev/vboxnetctl > gen_context(system_u:object_r:vbox_run_t,s0) > /usr/lib/virtualbox > gen_context(system_u:object_r:vbox_run_t,s0) > /usr/lib/virtualbox/(.*) > gen_context(system_u:object_r:vbox_run_t,s0) > /usr/lib/virtualbox/VBoxManage -- > gen_context(system_u:object_r:vbox_manage_exec_t,s0) > /usr/lib/virtualbox/VBoxXPCOMIPCD -- > gen_context(system_u:object_r:vbox_ipc_exec_t,s0) > /usr/lib/virtualbox/VirtualBox -- > gen_context(system_u:object_r:vbox_vbox_exec_t,s0) > /usr/lib/virtualbox/VBoxSDL -- > gen_context(system_u:object_r:vbox_vbox_exec_t,s0) > /usr/lib/virtualbox/VBoxSVC -- > gen_context(system_u:object_r:vbox_svc_exec_t,s0) > HOME_DIR/.VirtualBox(/.*)? > gen_context(system_u:object_r:vbox_run_t,s0) These are specified file contexts. After loading these, you may need to apply them by running restorecon on each of the paths > --- > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ig0IACgkQMlxVo39jgT+GsQCgwY/aKi/np52twzBGvWdi84Hn hY4An213+8fsY4noCBBAHFkl262OIJ2o =VNCJ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
