On 03/26/2015 04:17 PM, Jayson Hurst wrote:
> RHEL 6.5
>
> I have tried this using a filestran pattern but it doesn't seem to work.
>
>> Date: Wed, 25 Mar 2015 09:32:32 +0100
>> From: mgrepl@xxxxxxxxxx
>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: How do I create a directory in C that will follow selinux
> file context rules?
>>
>> On 03/24/2015 10:45 PM, Jayson Hurst wrote:
>> > I need to create a directory in a C binary.
>> >
>> > I am currently doing something similar to this:
>> >
>> >
>> >
>> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
>> >
>> >
>> >
>> > But when the directory is created it ends up with the wrong SELinux
> context. It inherits it's parent's context and
>> >
>> > not the one defined in file context.
>>
>> What is your OS?
>>
>> >
>> >
>> >
>> > Is there a C call that can be used that understands how to correctly
> create and label SElinux directories?
>> >
>> >
>> >
>> > --
>> > selinux mailing list
>> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>>
>>
>> --
>> Miroslav Grepl
>> Software Engineering, SELinux Solutions
>> Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t
or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond
on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf
/etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
