One thing I realized using sepolgen is that it reject filenames that
have "." in them.
In the example below, I was trying to label "runSeed.sh", so maybe
the fact that it has a "." in it broke the labeling ?
In any case, I reran sepolgen again and renamed the script to be
CZwd (instead of runSeed.sh).
With that, the files get's labeled properly now:
[proxyuser@lime target]$ ls -lZ CZwd
-rwxrwxr-x. proxyuser proxyuser system_u:object_r:CZwd_exec_t:s0
CZwd
Michael
On 7/26/2011 12:17 PM, Michael Atighetchi wrote:
Hi
Dominick,
responses inline below.
On 7/26/2011 11:25 AM, Dominick Grift wrote:
On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
regular
file system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would
need to
see your policy to be able to determine that.
Here is the policy:
policy_module(CZwd,1.0.0)
########################################
#
# Declarations
#
type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;
permissive CZwd_t;
########################################
#
# CZwd local policy
#
allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(CZwd_t)
files_read_etc_files(CZwd_t)
miscfiles_read_localization(CZwd_t)
gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)
Types have properties, For example some
types are domain types others
file type, executable file type, port types etc. etc.
Type attributes are used to tell selinux what type it is dealing
with.
It is kind of like grouping/classifying/tagging types. Rules are
in
place that are specific to various groups of types.
For you to be able to for example relabel a type of a file
object, the
type with need to be classified a file type. Because there is a
rule
that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the
type.
So if you have not classfied your
CZwd_exec_t to be a file type then it
may or may not be the cause of this issue.
How do I add the type to the policy? Any idea what other mistakes
can cause this behavior.
For what it is worth, I generated the CZwd.* files by copying the
files from a previous invocation of sepolgen and
replacing all references from the previous file to the new file.
It is only for this process that I have the labeling problems.
For other processes, I explicitly called sepolgen from scratch.
I've attached the current set of files for CZwd.
Michael
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@xxxxxxx
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
