RE: priority between file context rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you all for your answers

-----Message d'origine-----
De : Dominick Grift [mailto:dominick.grift@xxxxxxxxx]
Envoyé : jeudi 5 décembre 2013 17:26
À : Vidalie Hervé
Cc : Daniel J Walsh; Bruno Wolff III; selinux@xxxxxxxxxxxxxxxxxxxxxxx
Objet : Re: priority between file context rules


On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote:
> Hello,
>
> Thank you for your answers.
>
> I have two remaining questions:
> -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files?
> -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
>

I will give you an example

For example lets say i want to create a policy package that associates
system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything
below it.

cat > mywww.te <<EOF
policy_module(mywww, 1.0.0)
gen_require(\` type httpd_sys_content_t ')
EOF

The above creates a file with name mywww.te
The first line declares a new policy module of name mywww with version
1.0.0
The second line imports the httpd_sys_content_t type identifier.
Type identifiers that are declared outside of this module need to be
imported to this module before we can use it

The system_u, object_r, and s0 identifiers do not need to be imported
because they are core identifiers that are automatically imported when
you declare a policy module (the first line)

cat > mywww.fc <<EOF
/mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0
EOF

The above creates a file with name mywww.fc
The line in this file specified the file context
It associates the security context of
system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything
below it
The (/.*)? is a posix regular expression statement

make -f /usr/share/selinux/devel/Makefile mywww.pp

The above command creates a mywww.pp file
This is a policy package that we can use to load the policy into the
system

sudo semodule -i mywww.pp

The above command loads the policy package into the system. This will be
persistent

To remove it:

sudo semodule -r mywww

See man semodule for more details on how to manage policy packages




Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux