Re: Policy not taking effect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/10/2015 08:52 AM, Marko Rauhamaa wrote:
> To learn about selinux, I am trying to create a policy that would assign
> the file /etc/xyz the type tuned_log_t.
>
> I have:
>
> ===begin xyz.te=========================================================
> policy_module(xyz, 1.0.0)
> ===end xyz.te===========================================================
>
> ===begin xyz.fc=========================================================
> /etc/xyz        --      gen_context(system_u:object_r:tuned_log_t,s0)
> ===end xyz.fc===========================================================
>
> Then I execute:
>
>    # rm -f /etc/xyz
>    # make -f /usr/share/selinux/devel/Makefile xyz.pp
>    Compiling targeted xyz module
>    /usr/bin/checkmodule:  loading policy configuration from tmp/xyz.tmp
>    /usr/bin/checkmodule:  policy configuration loaded
>    /usr/bin/checkmodule:  writing binary representation (version 17) to
>    tmp/xyz.mod
>    Creating targeted xyz.pp policy package
>    rm tmp/xyz.mod.fc tmp/xyz.mod
>    # semodule -i xyz.pp
>    # touch /etc/xyz
>    # ls -Z /etc/xyz
>    -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/xyz
>    # restorecon /etc/xyz
>    # ls -Z /etc/xyz
>    -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz
>
> Why is /etc/xyz not getting the correct type immediately as the policy
> would dictate?
I'm not even close to an SELinux amateur, so beware of my advice, but...

My understanding is that, when run, "restorecon" uses the contents of
the ".fc" (file context) files to determine the contexts of directories
and files.

When a file or directory is created at *run-time*, it assumes the
security context of its parent directory by default.  This behavior can
be modified at run-time with the "type_transition" statement.  The
contents of the ".fc" files are *not* consulted at run-time.

During RPM installation, the "rpm" process does use the ".fc" files to
determine the security contexts given to files.

-- Steve Ross
>
> Marko
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux