On 7/12/19 11:26 PM, Lukas Vrabec wrote: > On 7/11/19 10:44 AM, Ed Greshko wrote: >> Hi, >> >> I'm not well versed in selinux and I rarely have run into issues with it. >> >> However, one point that I thought was true doesn't seem to be true. I was under the >> impression that when a file is created and the context for it is defined in the policy it >> would acquire it. >> >> For example, >> >> [egreshko@meimei ~]$ pwd >> /home/egreshko >> >> [egreshko@meimei ~]$ touch .fetchmailrc >> [egreshko@meimei ~]$ ls -Z .fetchmailrc >> unconfined_u:object_r:user_home_t:s0 .fetchmailrc >> >> [egreshko@meimei ~]$ restorecon .fetchmailrc >> [egreshko@meimei ~]$ ls -Z .fetchmailrc >> unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc >> >> Shouldn't the context have been correct when the file was created? How is an average user >> to know they may need to add the additional step. >> > File label with full path should be defined in policy: > > emanage fcontext -l | grep fetchmailrc > /etc/fetchmailrc regular file > system_u:object_r:fetchmail_etc_t:s0 > /home/[^/]+/\.fetchmailrc regular file > unconfined_u:object_r:fetchmail_home_t:s0 > /home/lvrabec/\.fetchmailrc regular file > staff_u:object_r:fetchmail_home_t:s0 > /root/\.fetchmailrc regular file > system_u:object_r:fetchmail_home_t:s0 > > > So restorecon did its job and restore it correctly. > > But you created that file as unconfined_t. (type: "id -Z" in terminal) > > And there is no FILE transition rule which should say what should be the > newly created file label, so it's inherits label from directory, which > is user_home_t. I see. So, kindly indulge me, I have a few of follow up questions. Aside from my needing to look for information on what a "FILE transition rule" is.... Looking at this sequence: [maria@meimei .local]$ ls -Zd share unconfined_u:object_r:data_home_t:s0 share [maria@meimei .local]$ cd share [maria@meimei share]$ ls -Z certificates ls: cannot access 'certificates': No such file or directory [maria@meimei share]$ mkdir certificates [maria@meimei share]$ ls -Zd certificates/ unconfined_u:object_r:home_cert_t:s0 certificates/ 1. Tells me a "FILE transition rule" exists, yes? 2. How to list existing "FILE transition rules"? 3. Wouldn't it be advisable the files such as "rc" files which a user may create in their home directory and are well known standard programs have "FILE transition rules" already in existence? -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
