James Ralston <ralston@xxxxxxxxx>:
> On Fri, Jun 7, 2019 at 8:45 AM Marko Rauhamaa <marko@xxxxxxxxxx> wrote:
>> When a file gets created, it gets a label based on some mysterious
>> distro policy ("antivirus_db_t").
>
> A newly-created file will inherit the file context of its parent
> directory unless there is a specific policy that sets a different
> context. See:
>
> https://fedoraproject.org/wiki/Features/SELinuxFileNameTransition
Thanks for answering.
>> I define a specific custom policy that should give the file a
>> different label (say, "bin_t").
>
> File context? Or transition context?
.fc
>> What ends up happening is that no matter how I *create* the file, it
>> always gets "antivirus_db_t" as its label. However, if I run
>> restorecon on the file, the label changes to "bin_t".
>>
>> How can this symptom be explained?
>
> You have probably specified a file context rule that conflicts with
> the context specified by a creation policy or file name transition.
>
> When a file is created, the creation/transition policy applies; when a
> file is relabeled, the file context policy applies. If they don't
> agree, you see exactly the behavior you're describing: a file is
> created with one context, but running "restorecon" changes it to a
> different context.
>
> In your case, if you want to see all transitions to the antivirus_db_t
> context, run:
>
> $ sesearch --type_trans --default antivirus_db_t
>
> I'm betting you'll see there's an explicit transition context that
> applies to the specific file you're creating.
No doubt. I'll have to check it when I get back to the office.
More interestingly, how do I override the distro transition rule so that
the file context rule takes precedence?
Based on some extensive googling, I gather I will need an
file_type_auto_trans
declaration. Even some more digging makes me guess this directive needs
to go in a .te file although it would be nice to find a direct answer in
the documentation.
I don't suppose it's possible to write an all-encompassing transition
rule that forces the label of a file regardless of the context of the
creator. So I will need to experimentally chart all the legitimate ways
how the file can come about and write transition rules for all valid
transitions.
Marko
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
