You'll need to run restorecon. On Wed, Jun 10, 2015 at 9:21 AM, Steve Ross <sross@xxxxxxxxxxxxx> wrote: > On 06/10/2015 08:52 AM, Marko Rauhamaa wrote: >> To learn about selinux, I am trying to create a policy that would assign >> the file /etc/xyz the type tuned_log_t. >> >> I have: >> >> ===begin xyz.te========================================================= >> policy_module(xyz, 1.0.0) >> ===end xyz.te=========================================================== >> >> ===begin xyz.fc========================================================= >> /etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0) >> ===end xyz.fc=========================================================== >> >> Then I execute: >> >> # rm -f /etc/xyz >> # make -f /usr/share/selinux/devel/Makefile xyz.pp >> Compiling targeted xyz module >> /usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp >> /usr/bin/checkmodule: policy configuration loaded >> /usr/bin/checkmodule: writing binary representation (version 17) to >> tmp/xyz.mod >> Creating targeted xyz.pp policy package >> rm tmp/xyz.mod.fc tmp/xyz.mod >> # semodule -i xyz.pp >> # touch /etc/xyz >> # ls -Z /etc/xyz >> -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz >> # restorecon /etc/xyz >> # ls -Z /etc/xyz >> -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz >> >> Why is /etc/xyz not getting the correct type immediately as the policy >> would dictate? > I'm not even close to an SELinux amateur, so beware of my advice, but... > > My understanding is that, when run, "restorecon" uses the contents of > the ".fc" (file context) files to determine the contexts of directories > and files. > > When a file or directory is created at *run-time*, it assumes the > security context of its parent directory by default. This behavior can > be modified at run-time with the "type_transition" statement. The > contents of the ".fc" files are *not* consulted at run-time. > > During RPM installation, the "rpm" process does use the ".fc" files to > determine the security contexts given to files. > > -- Steve Ross >> >> Marko >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
