Only tangentially related: Miroslav: thank you for your tireless efforts. :) On Thu, Oct 15, 2015 at 09:40:04AM +0200, Miroslav Grepl wrote: > On 10/15/2015 01:57 AM, David Li wrote: > > My next question is why my file isn't labelled correctly. > > > > My .fc file has the label defined as: > > > > /usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0) > > > > After install the targeted RPM and relabel by using fixfiles relabel, > > the file "/usr/sbin/myapp" looks like this: > > > > $ ls -Z /usr/sbin/myapp > > -rwxr-xr-x. root root unconfined_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp > > > > So the domain has been labeled correctly but the user now becomes > > "unconfined". Why? > > You need to be sure you have defined transition rules from unconfined_t > to myapp_t. If you want to confine your application which is started > directly from the command line for example, you need to define proper > rules for it. > > Fox example we have > > gpsd_run(unconfined_t, unconfined_r) > > where > > interface(`gpsd_run',` > gen_require(` > attribute_role gpsd_roles; > ') > > gpsd_domtrans($1) > roleattribute $2 gpsd_roles; > ') > > > Feel free to send me or paste here your policy and we can check it together. > > > > > > > On Wed, Oct 14, 2015 at 4:46 PM, David Li <dlipubkey@xxxxxxxxx> wrote: > >> Robin, > >> yep, that worked! > >> My policy is actually built into the targeted RPM. So I don't need to > >> do semodule again. > >> Thanks! > >> > >> > >> > >> On Wed, Oct 14, 2015 at 3:55 PM, Robin Lee Powell > >> <rlpowell@xxxxxxxxxxxxxxxxxx> wrote: > >>> Assuming CentOS is the same as Fedora in this regard, you'll want > >>> selinux-policy-targeted (which is the normal SELinux user policy) > >>> and whatever package includes /usr/share/selinux/devel/Makefile > >>> (which is how you make modules; make a directory with only your .te > >>> and maybe .fc file, and run: /usr/bin/make -f > >>> /usr/share/selinux/devel/Makefile , and then semodule -i modname.pp ) > >>> > >>> On Wed, Oct 14, 2015 at 03:41:18PM -0700, David Li wrote: > >>>> Hi, > >>>> > >>>> I am using CentOS 7.1 and just built the following new Selinux policy > >>>> RPMs. I wonder which one I should use in install. Or do I need to > >>>> install all of them? > >>>> > >>>> My purpose is to test a simple policy that I wrote. > >>>> > >>>> > >>>> [admin@localhost noarch]$ ll > >>>> total 8996 > >>>> -rw-rw-r--. 1 admin admin 361920 Oct 14 11:47 > >>>> selinux-policy-3.13.1-23.el7.centos.noarch.rpm > >>>> -rw-rw-r--. 1 admin admin 3467872 Oct 14 11:47 > >>>> selinux-policy-devel-3.13.1-23.el7.centos.noarch.rpm > >>>> -rw-rw-r--. 1 admin admin 917644 Oct 14 11:47 > >>>> selinux-policy-doc-3.13.1-23.el7.centos.noarch.rpm > >>>> -rw-rw-r--. 1 admin admin 365812 Oct 14 11:47 > >>>> selinux-policy-sandbox-3.13.1-23.el7.centos.noarch.rpm > >>>> -rw-rw-r--. 1 admin admin 4084412 Oct 14 11:47 > >>>> selinux-policy-targeted-3.13.1-23.el7.centos.noarch.rpm > >>>> > >>>> Thanks. > >>>> -- > >>>> selinux mailing list > >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > -- > Miroslav Grepl > Senior Software Engineer, SELinux Solutions > Red Hat, Inc. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
