On Fri, Jun 7, 2019 at 8:45 AM Marko Rauhamaa <marko@xxxxxxxxxx> wrote:
> When a file gets created, it gets a label based on some mysterious
> distro policy ("antivirus_db_t").
A newly-created file will inherit the file context of its parent
directory unless there is a specific policy that sets a different
context. See:
https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
Here's an example:
$ sesearch --type_trans --source unconfined_t --default httpd_user_content_t
type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t
"public_html";
type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t "web";
type_transition unconfined_t user_home_dir_t:dir httpd_user_content_t "www";
In other words, if a process running in unconfined_t creates a
directory named any of (public_html, web, www) that would otherwise
have the user_home_dir_t context (typically, because it inherited that
context from the containing directory), instead create the directory
with the httpd_user_content_t context.
> I define a specific custom policy that should give the file a
> different label (say, "bin_t").
File context? Or transition context?
> What ends up happening is that no matter how I *create* the file, it
> always gets "antivirus_db_t" as its label. However, if I run
> restorecon on the file, the label changes to "bin_t".
>
> How can this symptom be explained?
You have probably specified a file context rule that conflicts with
the context specified by a creation policy or file name transition.
When a file is created, the creation/transition policy applies; when a
file is relabeled, the file context policy applies. If they don't
agree, you see exactly the behavior you're describing: a file is
created with one context, but running "restorecon" changes it to a
different context.
In your case, if you want to see all transitions to the antivirus_db_t
context, run:
$ sesearch --type_trans --default antivirus_db_t
I'm betting you'll see there's an explicit transition context that
applies to the specific file you're creating.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
