On Sat, Mar 13, 2021 at 7:24 PM SZIGETVÁRI János <jszigetvari@xxxxxxxxx> wrote:
Dear Members,I am maintaining a SELinux policy module for an application (A) and one of its submodules (B).By now I have reached a point where all the rules seem to be in place, and both A and B processes transition to their respective process labels, and have their associated file types, the related permissions and file paths set up.My problem is that even though a process of B is running with the B process label, it is supposed to create some files and directories of its own under a directory that has a label related to A. The B process has the necessary rights to create those directories and files underneath the directory with the label belonging to A. The problem is that the files created by the process B will not be created with the file label belonging to B, but seem to inherit the label from the parent directory, that has a label belonging to A. This happens in spite of having the file contexts and paths set up correctly in the module's fc rules.So if I run restorecon on the files that were just created (by B, but have a label belonging to A), it will (re)set them to the file labels I intended them to have originally.How can I overcome this problem? This behavior causes an ugly logical flaw in the logical design of my SELinux modules.
Hi,
If I understand correctly, you need to have files with different context coexist in one directory.
New filesystem objects inherit the context from their directory by default, but a different context can be set in the policy, too, using file transitions. You have 2 options, change the context depending on the creating process, or based on the filename.
Refer e. g. to
for more information or to existing examples in the policy and let me know if you have any further questions.
_______________________________________________Thanks in advance for any help!Best Regards,János Szigetvári--Web: janos.szigetvari.com
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure