I resolved the problem with Dans help by adding a transition from unconfined to vasd_t
Sent from my Windows Phone
Sent from my Windows Phone
From: Miroslav Grepl
Sent: 3/27/2015 2:24 AM
To: Jayson Hurst; selinux@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: How do I create a directory in C that will follow selinux file context rules?
On 03/26/2015 08:37 PM, Jayson Hurst wrote:
> What I don't understand is why the filetrans doesn't work in the first
> place?
>
> In my policy I define:
>
> filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
>
> But when my binary that runs under the vasd_t domain as an unconfined
> user creates a directory in /var/opt/quest/vas/ called vasd it gets
> created as a vasd_var_t.
>
> The parent directory of /var/opt/quest/vas is labeled as vasd_var_t.
> Shouldn't the above filetrans_pattern label all new directories under
> /var/opt/quest/vas as vasd_var_auth_t when they are being created under
> the vasd_t domain?
It should work. Are you sure you create it under vasd_t? Also you need
to have
manage_dirs_pattern(vasd_t, vasd_var_auth_t, vasd_var_auth_t)
>
>> Date: Thu, 26 Mar 2015 18:24:01 +0100
>> From: mgrepl@xxxxxxxxxx
>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: How do I create a directory in C that will follow selinux
> file context rules?
>>
>> On 03/26/2015 04:17 PM, Jayson Hurst wrote:
>> > RHEL 6.5
>> >
>> > I have tried this using a filestran pattern but it doesn't seem to work.
>> >
>> >> Date: Wed, 25 Mar 2015 09:32:32 +0100
>> >> From: mgrepl@xxxxxxxxxx
>> >> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> >> Subject: Re: How do I create a directory in C that will follow selinux
>> > file context rules?
>> >>
>> >> On 03/24/2015 10:45 PM, Jayson Hurst wrote:
>> >> > I need to create a directory in a C binary.
>> >> >
>> >> > I am currently doing something similar to this:
>> >> >
>> >> >
>> >> >
>> >> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
> S_IXOTH);
>> >> >
>> >> >
>> >> >
>> >> > But when the directory is created it ends up with the wrong SELinux
>> > context. It inherits it's parent's context and
>> >> >
>> >> > not the one defined in file context.
>> >>
>> >> What is your OS?
>> >>
>> >> >
>> >> >
>> >> >
>> >> > Is there a C call that can be used that understands how to correctly
>> > create and label SElinux directories?
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > selinux mailing list
>> >> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> >> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >> >
>> >>
>> >>
>> >> --
>> >> Miroslav Grepl
>> >> Software Engineering, SELinux Solutions
>> >> Red Hat, Inc.
>>
>> Ok, basically you can add a transition rule for "/home/cnd/mod1"
>>
>>
>> userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
>>
>> It will create a dir in /home/cnd with ABC_t labeling for unconfined_t
>> or for a domain defined by you.
>>
>> Where you are not able to use a file transition, you can use restorecond
>> on RHEL6. It uses inotify to watch files listed in
>>
>> /etc/selinux/restorecond.conf
>> /etc/selinux/restorecond_user.conf
>>
>> when they are created and it sets a context defined in the policy.
>>
>> --
>> Miroslav Grepl
>> Software Engineering, SELinux Solutions
>> Red Hat, Inc.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
> What I don't understand is why the filetrans doesn't work in the first
> place?
>
> In my policy I define:
>
> filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
>
> But when my binary that runs under the vasd_t domain as an unconfined
> user creates a directory in /var/opt/quest/vas/ called vasd it gets
> created as a vasd_var_t.
>
> The parent directory of /var/opt/quest/vas is labeled as vasd_var_t.
> Shouldn't the above filetrans_pattern label all new directories under
> /var/opt/quest/vas as vasd_var_auth_t when they are being created under
> the vasd_t domain?
It should work. Are you sure you create it under vasd_t? Also you need
to have
manage_dirs_pattern(vasd_t, vasd_var_auth_t, vasd_var_auth_t)
>
>> Date: Thu, 26 Mar 2015 18:24:01 +0100
>> From: mgrepl@xxxxxxxxxx
>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Subject: Re: How do I create a directory in C that will follow selinux
> file context rules?
>>
>> On 03/26/2015 04:17 PM, Jayson Hurst wrote:
>> > RHEL 6.5
>> >
>> > I have tried this using a filestran pattern but it doesn't seem to work.
>> >
>> >> Date: Wed, 25 Mar 2015 09:32:32 +0100
>> >> From: mgrepl@xxxxxxxxxx
>> >> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> >> Subject: Re: How do I create a directory in C that will follow selinux
>> > file context rules?
>> >>
>> >> On 03/24/2015 10:45 PM, Jayson Hurst wrote:
>> >> > I need to create a directory in a C binary.
>> >> >
>> >> > I am currently doing something similar to this:
>> >> >
>> >> >
>> >> >
>> >> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
> S_IXOTH);
>> >> >
>> >> >
>> >> >
>> >> > But when the directory is created it ends up with the wrong SELinux
>> > context. It inherits it's parent's context and
>> >> >
>> >> > not the one defined in file context.
>> >>
>> >> What is your OS?
>> >>
>> >> >
>> >> >
>> >> >
>> >> > Is there a C call that can be used that understands how to correctly
>> > create and label SElinux directories?
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > selinux mailing list
>> >> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> >> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >> >
>> >>
>> >>
>> >> --
>> >> Miroslav Grepl
>> >> Software Engineering, SELinux Solutions
>> >> Red Hat, Inc.
>>
>> Ok, basically you can add a transition rule for "/home/cnd/mod1"
>>
>>
>> userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
>>
>> It will create a dir in /home/cnd with ABC_t labeling for unconfined_t
>> or for a domain defined by you.
>>
>> Where you are not able to use a file transition, you can use restorecond
>> on RHEL6. It uses inotify to watch files listed in
>>
>> /etc/selinux/restorecond.conf
>> /etc/selinux/restorecond_user.conf
>>
>> when they are created and it sets a context defined in the policy.
>>
>> --
>> Miroslav Grepl
>> Software Engineering, SELinux Solutions
>> Red Hat, Inc.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux