Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from the locations /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-( Thanks a lot for he help! >-----Ursprüngliche Nachricht----- >Von: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] Im Auftrag von selinux->request@xxxxxxxxxxxxxxxxxxxxxxx >Gesendet: Dienstag, 22. Februar 2011 13:00 >An: selinux@xxxxxxxxxxxxxxxxxxxxxxx >Betreff: selinux Digest, Vol 84, Issue 10 > 4. Re: need to superseed default file context for virtualbox > files but no method works (Dominick Grift) > >Message: 4 >Date: Mon, 21 Feb 2011 16:22:42 +0100 >From: Dominick Grift <domg472@xxxxxxxxx> >Subject: Re: need to superseed default file context for virtualbox > files but no method works >To: selinux@xxxxxxxxxxxxxxxxxxxxxxx >Message-ID: <4D628342.8070102@xxxxxxxxx> >Content-Type: text/plain; charset=ISO-8859-1 > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >>On 02/21/2011 04:15 PM, Andreas Bolatzki wrote: >> Hello All >> >> I am working on Fedora 13 and VirtualBox 3.2 >> >> Currently I try to apply a selinux module that has been created with >> ubuntu to Fedora 13. Because I believe I understand what it should do I >> just tried to make it run under F-13. >> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module. >> >> After making the vbox.pp I can load it with "semodule -I vbox.pp" and >> the module shows up in semodule -l correctly. >> The motivation to change these file-contexts is to prepare for correct >> type-transition rules so they match the defined rules. >> >> Unfortunately the file-context is never set as needed and as described >> in the vbox.fc. >> >> When I check .../file_contexts the correct statements are included but >> they happen to appear later than something that was there before... (or >> is there if the module is removed): >> # matchpathcon /usr/lib/virtualbox/ >> /usr/lib/virtualbox system_u:object_r:lib_t:s0 >> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/ >> /usr/lib/virtualbox <<none>> >> >> Next I tried to do it with semanage fcontext -t >> [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t >> /usr/lib/virtualbox/VboxManage >> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage >> -rwxr-xr-x. root root system_u:object_r:lib_t:s0 >> /usr/lib/virtualbox/VBoxManage >That semanage command above only adds a new file context specification. >You have to restore the context after that to actually apply the >specified file context. > ANDREAS: OK The problem is that something supersedes my module! ANDREAS:The restorecon does nothing first... ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL ANDREAS: [~]# chcon -t vbox_vbox_exec_t /usr/lib/virtualbox/VBoxSDL ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL ANDREAS:restorecon reset /usr/lib/virtualbox/VBoxSDL context system_u:object_r:vbox_vbox_exec_t:s0->system_u:object_r:lib_t:s0 ANDREAS: [~]# ANDREAS: --->> Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-( Thanks a lot for the help! > >> I 'd expect that the lib_t is replaced by vbox_manage_exec_t. >> What is the problem? My understanding of what should happen might be >> wrong... >> >> Thanks for your answers. >> >> Andreas >> >> --- >> Conftents of vbox.fc >> /dev/vboxdrv >> gen_context(system_u:object_r:vbox_run_t,s0) >> /dev/vboxnetctl >> gen_context(system_u:object_r:vbox_run_t,s0) >> /usr/lib/virtualbox >> gen_context(system_u:object_r:vbox_run_t,s0) >> /usr/lib/virtualbox/(.*) >> gen_context(system_u:object_r:vbox_run_t,s0) >> /usr/lib/virtualbox/VBoxManage -- >> gen_context(system_u:object_r:vbox_manage_exec_t,s0) >> /usr/lib/virtualbox/VBoxXPCOMIPCD -- >> gen_context(system_u:object_r:vbox_ipc_exec_t,s0) >> /usr/lib/virtualbox/VirtualBox -- >> gen_context(system_u:object_r:vbox_vbox_exec_t,s0) >> /usr/lib/virtualbox/VBoxSDL -- >> gen_context(system_u:object_r:vbox_vbox_exec_t,s0) >> /usr/lib/virtualbox/VBoxSVC -- >> gen_context(system_u:object_r:vbox_svc_exec_t,s0) >> HOME_DIR/.VirtualBox(/.*)? >> gen_context(system_u:object_r:vbox_run_t,s0) > >These are specified file contexts. After loading these, you may need to >apply them by running restorecon on each of the paths > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
