|
What I don't understand is why the filetrans doesn't work in the first place?
In my policy I define: filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir ) But when my binary that runs under the vasd_t domain as an unconfined user creates a directory in /var/opt/quest/vas/ called vasd it gets created as a vasd_var_t. The parent directory of /var/opt/quest/vas is labeled as vasd_var_t. Shouldn't the above filetrans_pattern label all new directories under /var/opt/quest/vas as vasd_var_auth_t when they are being created under the vasd_t domain? > Date: Thu, 26 Mar 2015 18:24:01 +0100 > From: mgrepl@xxxxxxxxxx > To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx > Subject: Re: How do I create a directory in C that will follow selinux file context rules? > > On 03/26/2015 04:17 PM, Jayson Hurst wrote: > > RHEL 6.5 > > > > I have tried this using a filestran pattern but it doesn't seem to work. > > > >> Date: Wed, 25 Mar 2015 09:32:32 +0100 > >> From: mgrepl@xxxxxxxxxx > >> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> Subject: Re: How do I create a directory in C that will follow selinux > > file context rules? > >> > >> On 03/24/2015 10:45 PM, Jayson Hurst wrote: > >> > I need to create a directory in a C binary. > >> > > >> > I am currently doing something similar to this: > >> > > >> > > >> > > >> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); > >> > > >> > > >> > > >> > But when the directory is created it ends up with the wrong SELinux > > context. It inherits it's parent's context and > >> > > >> > not the one defined in file context. > >> > >> What is your OS? > >> > >> > > >> > > >> > > >> > Is there a C call that can be used that understands how to correctly > > create and label SElinux directories? > >> > > >> > > >> > > >> > -- > >> > selinux mailing list > >> > selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> > https://admin.fedoraproject.org/mailman/listinfo/selinux > >> > > >> > >> > >> -- > >> Miroslav Grepl > >> Software Engineering, SELinux Solutions > >> Red Hat, Inc. > > Ok, basically you can add a transition rule for "/home/cnd/mod1" > > > userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir) > > It will create a dir in /home/cnd with ABC_t labeling for unconfined_t > or for a domain defined by you. > > Where you are not able to use a file transition, you can use restorecond > on RHEL6. It uses inotify to watch files listed in > > /etc/selinux/restorecond.conf > /etc/selinux/restorecond_user.conf > > when they are created and it sets a context defined in the policy. > > -- > Miroslav Grepl > Software Engineering, SELinux Solutions > Red Hat, Inc. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
