On 10/15/2015 09:52 AM, Robin Lee Powell wrote: > Only tangentially related: Miroslav: thank you for your tireless > efforts. :) > Yes, I missed the point here :). Petr Lautrbach explained it. > On Thu, Oct 15, 2015 at 09:40:04AM +0200, Miroslav Grepl wrote: >> On 10/15/2015 01:57 AM, David Li wrote: >>> My next question is why my file isn't labelled correctly. >>> >>> My .fc file has the label defined as: >>> >>> /usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0) >>> >>> After install the targeted RPM and relabel by using fixfiles relabel, >>> the file "/usr/sbin/myapp" looks like this: >>> >>> $ ls -Z /usr/sbin/myapp >>> -rwxr-xr-x. root root unconfined_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp >>> >>> So the domain has been labeled correctly but the user now becomes >>> "unconfined". Why? >> >> You need to be sure you have defined transition rules from unconfined_t >> to myapp_t. If you want to confine your application which is started >> directly from the command line for example, you need to define proper >> rules for it. >> >> Fox example we have >> >> gpsd_run(unconfined_t, unconfined_r) >> >> where >> >> interface(`gpsd_run',` >> gen_require(` >> attribute_role gpsd_roles; >> ') >> >> gpsd_domtrans($1) >> roleattribute $2 gpsd_roles; >> ') >> >> >> Feel free to send me or paste here your policy and we can check it together. >> >> >> >>> >>> On Wed, Oct 14, 2015 at 4:46 PM, David Li <dlipubkey@xxxxxxxxx> wrote: >>>> Robin, >>>> yep, that worked! >>>> My policy is actually built into the targeted RPM. So I don't need to >>>> do semodule again. >>>> Thanks! >>>> >>>> >>>> >>>> On Wed, Oct 14, 2015 at 3:55 PM, Robin Lee Powell >>>> <rlpowell@xxxxxxxxxxxxxxxxxx> wrote: >>>>> Assuming CentOS is the same as Fedora in this regard, you'll want >>>>> selinux-policy-targeted (which is the normal SELinux user policy) >>>>> and whatever package includes /usr/share/selinux/devel/Makefile >>>>> (which is how you make modules; make a directory with only your .te >>>>> and maybe .fc file, and run: /usr/bin/make -f >>>>> /usr/share/selinux/devel/Makefile , and then semodule -i modname.pp ) >>>>> >>>>> On Wed, Oct 14, 2015 at 03:41:18PM -0700, David Li wrote: >>>>>> Hi, >>>>>> >>>>>> I am using CentOS 7.1 and just built the following new Selinux policy >>>>>> RPMs. I wonder which one I should use in install. Or do I need to >>>>>> install all of them? >>>>>> >>>>>> My purpose is to test a simple policy that I wrote. >>>>>> >>>>>> >>>>>> [admin@localhost noarch]$ ll >>>>>> total 8996 >>>>>> -rw-rw-r--. 1 admin admin 361920 Oct 14 11:47 >>>>>> selinux-policy-3.13.1-23.el7.centos.noarch.rpm >>>>>> -rw-rw-r--. 1 admin admin 3467872 Oct 14 11:47 >>>>>> selinux-policy-devel-3.13.1-23.el7.centos.noarch.rpm >>>>>> -rw-rw-r--. 1 admin admin 917644 Oct 14 11:47 >>>>>> selinux-policy-doc-3.13.1-23.el7.centos.noarch.rpm >>>>>> -rw-rw-r--. 1 admin admin 365812 Oct 14 11:47 >>>>>> selinux-policy-sandbox-3.13.1-23.el7.centos.noarch.rpm >>>>>> -rw-rw-r--. 1 admin admin 4084412 Oct 14 11:47 >>>>>> selinux-policy-targeted-3.13.1-23.el7.centos.noarch.rpm >>>>>> >>>>>> Thanks. >>>>>> -- >>>>>> selinux mailing list >>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >> >> >> -- >> Miroslav Grepl >> Senior Software Engineer, SELinux Solutions >> Red Hat, Inc. >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
