On 10/15/2015 10:36 AM, Petr Lautrbach wrote: > On 10/15/2015 01:57 AM, David Li wrote: >> My next question is why my file isn't labelled correctly. >> >> My .fc file has the label defined as: >> >> /usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0) >> >> After install the targeted RPM and relabel by using fixfiles relabel, >> the file "/usr/sbin/myapp" looks like this: >> >> $ ls -Z /usr/sbin/myapp >> -rwxr-xr-x. root root unconfined_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp >> >> So the domain has been labeled correctly but the user now becomes >> "unconfined". Why? > > > fixfiles uses restorecon command without the force flag by default. It > means that only a type of file is modified. If you want to enforce a > replacement of the entire context, you should use -F option: > > # fixfiles -F relabel > Yes, thanks. The point is we want to prevent some unwanted labeling changes if restorecon is called and which could happen with "-F" defined as a default. For example if you use MCS part of security context then we don't want to change any labeling here by accident. $ touch test_mcs $ ls -Z test_mcs unconfined_u:object_r:user_home_t:s0 test_mcs $ chcon -l s0:c1 test_mcs unconfined_u:object_r:user_home_t:s0:c1 test_mcs $ restorecon -v test_mcs $ ls -Z test_mcs unconfined_u:object_r:user_home_t:s0:c1 test_mcs $ restorecon -Fv test_mcs restorecon reset /home/mgrepl/test_mcs context unconfined_u:object_r:user_home_t:s0:c1->unconfined_u:object_r:user_home_t:s0 So you need to use "-F" option to reset all parts of SELinux context to a default label. > > > > Petr > > >> On Wed, Oct 14, 2015 at 4:46 PM, David Li <dlipubkey@xxxxxxxxx> wrote: >>> Robin, >>> yep, that worked! >>> My policy is actually built into the targeted RPM. So I don't need to >>> do semodule again. >>> Thanks! >>> >>> >>> >>> On Wed, Oct 14, 2015 at 3:55 PM, Robin Lee Powell >>> <rlpowell@xxxxxxxxxxxxxxxxxx> wrote: >>>> Assuming CentOS is the same as Fedora in this regard, you'll want >>>> selinux-policy-targeted (which is the normal SELinux user policy) >>>> and whatever package includes /usr/share/selinux/devel/Makefile >>>> (which is how you make modules; make a directory with only your .te >>>> and maybe .fc file, and run: /usr/bin/make -f >>>> /usr/share/selinux/devel/Makefile , and then semodule -i modname.pp ) >>>> >>>> On Wed, Oct 14, 2015 at 03:41:18PM -0700, David Li wrote: >>>>> Hi, >>>>> >>>>> I am using CentOS 7.1 and just built the following new Selinux policy >>>>> RPMs. I wonder which one I should use in install. Or do I need to >>>>> install all of them? >>>>> >>>>> My purpose is to test a simple policy that I wrote. >>>>> >>>>> >>>>> [admin@localhost noarch]$ ll >>>>> total 8996 >>>>> -rw-rw-r--. 1 admin admin 361920 Oct 14 11:47 >>>>> selinux-policy-3.13.1-23.el7.centos.noarch.rpm >>>>> -rw-rw-r--. 1 admin admin 3467872 Oct 14 11:47 >>>>> selinux-policy-devel-3.13.1-23.el7.centos.noarch.rpm >>>>> -rw-rw-r--. 1 admin admin 917644 Oct 14 11:47 >>>>> selinux-policy-doc-3.13.1-23.el7.centos.noarch.rpm >>>>> -rw-rw-r--. 1 admin admin 365812 Oct 14 11:47 >>>>> selinux-policy-sandbox-3.13.1-23.el7.centos.noarch.rpm >>>>> -rw-rw-r--. 1 admin admin 4084412 Oct 14 11:47 >>>>> selinux-policy-targeted-3.13.1-23.el7.centos.noarch.rpm >>>>> >>>>> Thanks. >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > > > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
