On 7/13/19 7:16 AM, James Ralston wrote: > On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: > >> So, kindly indulge me, I have a few of follow up questions. Aside >> from my needing to look for information on what a "FILE transition >> rule" is.... >> >> Looking at this sequence: >> >> [maria@meimei .local]$ ls -Zd share >> unconfined_u:object_r:data_home_t:s0 share >> [maria@meimei .local]$ cd share >> [maria@meimei share]$ ls -Z certificates >> ls: cannot access 'certificates': No such file or directory >> [maria@meimei share]$ mkdir certificates >> [maria@meimei share]$ ls -Zd certificates/ >> unconfined_u:object_r:home_cert_t:s0 certificates/ >> >> 1. Tells me a "FILE transition rule" exists, yes? > Yes, because the file you created did not inherit the data_home_t > label from the parent directory. > > (Some special applications that have specific SELinux knowledge can > request that a file be created with a specific context, but "mkdir" > does not do this.) > >> 2. How to list existing "FILE transition rules"? > $ sesearch --type_trans --source unconfined_t --default home_cert_t > type_transition unconfined_t config_home_t:dir home_cert_t "certificates"; > type_transition unconfined_t data_home_t:dir home_cert_t "certificates"; > type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert"; > type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki"; > type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates"; > >> 3. Wouldn't it be advisable the files such as "rc" files which a >> user may create in their home directory and are well known >> standard programs have "FILE transition rules" already in >> existence? > Contexts for many well-known dotfiles do have them. But > fetchmail_home_t doesn't, at least in recent Fedora SELinux policy: > > $ sesearch --type_trans --default fetchmail_home_t; echo END > END > > Perhaps file an upstream enhancement request with your distro to add > the missing file transition rules for fetchmail? Thanks Much! Exactly what I needed to know. -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
