Re: [selinux] SElinux newbie question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/15/2015 09:52 AM, Robin Lee Powell wrote:
> Only tangentially related: Miroslav: thank you for your tireless
> efforts.  :)
> 

Yes, I missed the point here :). Petr Lautrbach explained it.

> On Thu, Oct 15, 2015 at 09:40:04AM +0200, Miroslav Grepl wrote:
>> On 10/15/2015 01:57 AM, David Li wrote:
>>> My next question is why my file isn't labelled correctly.
>>>
>>> My .fc file has the label defined as:
>>>
>>> /usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
>>>
>>> After install the targeted RPM and relabel by using fixfiles relabel,
>>> the file "/usr/sbin/myapp" looks like this:
>>>
>>> $ ls -Z /usr/sbin/myapp
>>> -rwxr-xr-x. root root unconfined_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp
>>>
>>> So the domain has been labeled correctly but the user now becomes
>>> "unconfined". Why?
>>
>> You need to be sure you have defined transition rules from unconfined_t
>> to myapp_t. If you want to confine your application which is started
>> directly from the command line for example, you need to define proper
>> rules for it.
>>
>> Fox example we have
>>
>> gpsd_run(unconfined_t, unconfined_r)
>>
>> where
>>
>> interface(`gpsd_run',`
>>     gen_require(`
>>         attribute_role gpsd_roles;
>>     ')
>>
>>     gpsd_domtrans($1)
>>     roleattribute $2 gpsd_roles;
>> ')
>>
>>
>> Feel free to send me or paste here your policy and we can check it together.
>>
>>
>>
>>>
>>> On Wed, Oct 14, 2015 at 4:46 PM, David Li <dlipubkey@xxxxxxxxx> wrote:
>>>> Robin,
>>>> yep, that worked!
>>>> My policy is actually built into the targeted RPM. So I don't need to
>>>> do semodule again.
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> On Wed, Oct 14, 2015 at 3:55 PM, Robin Lee Powell
>>>> <rlpowell@xxxxxxxxxxxxxxxxxx> wrote:
>>>>> Assuming CentOS is the same as Fedora in this regard, you'll want
>>>>> selinux-policy-targeted (which is the normal SELinux user policy)
>>>>> and whatever package includes /usr/share/selinux/devel/Makefile
>>>>> (which is how you make modules; make a directory with only your .te
>>>>> and maybe .fc file, and run: /usr/bin/make -f
>>>>> /usr/share/selinux/devel/Makefile , and then semodule -i modname.pp )
>>>>>
>>>>> On Wed, Oct 14, 2015 at 03:41:18PM -0700, David Li wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am using CentOS 7.1 and just built the following new Selinux policy
>>>>>> RPMs. I wonder which one I should use in install.  Or do I need to
>>>>>> install all of them?
>>>>>>
>>>>>> My purpose is to test a simple policy that I wrote.
>>>>>>
>>>>>>
>>>>>> [admin@localhost noarch]$ ll
>>>>>> total 8996
>>>>>> -rw-rw-r--. 1 admin admin  361920 Oct 14 11:47
>>>>>> selinux-policy-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 3467872 Oct 14 11:47
>>>>>> selinux-policy-devel-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin  917644 Oct 14 11:47
>>>>>> selinux-policy-doc-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin  365812 Oct 14 11:47
>>>>>> selinux-policy-sandbox-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 4084412 Oct 14 11:47
>>>>>> selinux-policy-targeted-3.13.1-23.el7.centos.noarch.rpm
>>>>>>
>>>>>> Thanks.
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>
>>
>> -- 
>> Miroslav Grepl
>> Senior Software Engineer, SELinux Solutions
>> Red Hat, Inc.
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux