On 7/11/19 10:44 AM, Ed Greshko wrote: > Hi, > > I'm not well versed in selinux and I rarely have run into issues with it. > > However, one point that I thought was true doesn't seem to be true. I was under the > impression that when a file is created and the context for it is defined in the policy it > would acquire it. > > For example, > > [egreshko@meimei ~]$ pwd > /home/egreshko > > [egreshko@meimei ~]$ touch .fetchmailrc > [egreshko@meimei ~]$ ls -Z .fetchmailrc > unconfined_u:object_r:user_home_t:s0 .fetchmailrc > > [egreshko@meimei ~]$ restorecon .fetchmailrc > [egreshko@meimei ~]$ ls -Z .fetchmailrc > unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc > > Shouldn't the context have been correct when the file was created? How is an average user > to know they may need to add the additional step. > File label with full path should be defined in policy: emanage fcontext -l | grep fetchmailrc /etc/fetchmailrc regular file system_u:object_r:fetchmail_etc_t:s0 /home/[^/]+/\.fetchmailrc regular file unconfined_u:object_r:fetchmail_home_t:s0 /home/lvrabec/\.fetchmailrc regular file staff_u:object_r:fetchmail_home_t:s0 /root/\.fetchmailrc regular file system_u:object_r:fetchmail_home_t:s0 So restorecon did its job and restore it correctly. But you created that file as unconfined_t. (type: "id -Z" in terminal) And there is no FILE transition rule which should say what should be the newly created file label, so it's inherits label from directory, which is user_home_t. Thanks, Lukas. > Thanks > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx