On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: > So, kindly indulge me, I have a few of follow up questions. Aside > from my needing to look for information on what a "FILE transition > rule" is.... > > Looking at this sequence: > > [maria@meimei .local]$ ls -Zd share > unconfined_u:object_r:data_home_t:s0 share > [maria@meimei .local]$ cd share > [maria@meimei share]$ ls -Z certificates > ls: cannot access 'certificates': No such file or directory > [maria@meimei share]$ mkdir certificates > [maria@meimei share]$ ls -Zd certificates/ > unconfined_u:object_r:home_cert_t:s0 certificates/ > > 1. Tells me a "FILE transition rule" exists, yes? Yes, because the file you created did not inherit the data_home_t label from the parent directory. (Some special applications that have specific SELinux knowledge can request that a file be created with a specific context, but "mkdir" does not do this.) > 2. How to list existing "FILE transition rules"? $ sesearch --type_trans --source unconfined_t --default home_cert_t type_transition unconfined_t config_home_t:dir home_cert_t "certificates"; type_transition unconfined_t data_home_t:dir home_cert_t "certificates"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki"; type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates"; > 3. Wouldn't it be advisable the files such as "rc" files which a > user may create in their home directory and are well known > standard programs have "FILE transition rules" already in > existence? Contexts for many well-known dotfiles do have them. But fetchmail_home_t doesn't, at least in recent Fedora SELinux policy: $ sesearch --type_trans --default fetchmail_home_t; echo END END Perhaps file an upstream enhancement request with your distro to add the missing file transition rules for fetchmail? _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
