new file contexts

new file contexts

[Timothy Wood]

When you make a new file in the policy/file_contexts/program directory
do you have to specify the new file somewhere so that it gets compiled
into the policy or should it just pickup the new file automatically? 

Timothy,



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Stephen Smalley]

On 23 Aug 2002, Timothy Wood wrote:

> When you make a new file in the policy/file_contexts/program directory
> do you have to specify the new file somewhere so that it gets compiled
> into the policy or should it just pickup the new file automatically?

The policy/Makefile automatically includes up a program .fc file into the
file contexts configuration for each program .te file that exists under
domains/program.  This approach is designed to permit users to remove
program .te files for programs that they do not run and have the
corresponding .fc files automatically ignored.  However, you may encounter
problems in selectively removing program .te files, since there may be
other .te files that have dependencies on them.  We are trying to wrap all
such inter-domain dependencies with m4 ifdefs, but that is not yet
complete.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Russell Coker]

On Fri, 23 Aug 2002 15:46, Timothy Wood wrote:
> When you make a new file in the policy/file_contexts/program directory
> do you have to specify the new file somewhere so that it gets compiled
> into the policy or should it just pickup the new file automatically?

Following from Stephen's response, the main problems at the moment regarding 
dependencies are xdm.te depending on xserver.te, sendmail.te conflicting with 
other mail servers (in my policy at least - Steve may have fixed that for the 
NSA policy), and httpadm.te depending on apache.te.  If you encounter any 
other instances of dependencies between .te files then please consider it a 
bug and report it here.

Also the file contexts data is not compiled into the policy, the 
file_contexts/file_contexts file is created out of all appropriate *.fc files 
and is then used by the setfiles program.  I'm not sure whether you 
misunderstood this or whether your email was just unclear, so I want to make 
sure there's no misunderstanding (and also to make it clear for the lurkers).

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Timothy Wood]

В Птн, 23.08.2002, в 10:14, Stephen Smalley написал:
> 
> On 23 Aug 2002, Timothy Wood wrote:
> 
> > So then I am required to have a corresponding .te for my new .fc file
> > correct?
> 
> Yes, and this is typically what you want - there should be no reason to
> have a program .fc file if there is no corresponding program .te file
> (Where else would the program's domain and types be defined in the
> policy?).  If for some reason you do not have any corresponding program
> .te file (this would be odd, and I'd be interested in the explanation),
> you could directly edit file_contexts/type.fc to add your entries or you
> could add your new .fc file to the FCFILES= definition in the
> policy/Makefile.
> 
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com

I have a Window Manager that installs itself in /usr/apps (ROX
http://rox.sourceforge.net ).  I need to label all of the AppRun files
in the subdirectories, as well as a few other files, in the
system_u:object_r:bin_t context.  I don't really need to change anything
else for it to work because I relabeled them and everything runs ok.
What I did was when remaking the policy didn't seem to pickup the new
.fc I appended it to an existing .fc to see if it would read the changes
from there.  The relabeling worked after that, obviously, but I couldn't
figure out why it didn't pickup my new .fc file.  Though now I know it
needs a .te file to look for a .fc file.  At any rate, the changes I
made just relabel the ROX executable files as if they were installed in
the /usr/bin directory, so they really don't need their own domain
(gnome doesn't so I don't see why ROX would).  So should I just append
these changes to the types.fc since that is where the generic /usr/bin
type is located or would it be better to leave them in the already
seperate rox.fc and change the Makefile?

here are my changes:

# ROX
/usr/apps/ROX-Filer/Linux-ix86/ROX-Filer		system_u:object_r:bin_t
/usr/apps/ROX-Session/Linux-ix86/ROX-Session		system_u:object_r:bin_t
/usr/apps/(.*)/AppRun		system_u:object_r:bin_t

Timothy,



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Stephen Smalley]

On 23 Aug 2002, Timothy Wood wrote:

> (gnome doesn't so I don't see why ROX would).  So should I just append
> these changes to the types.fc since that is where the generic /usr/bin
> type is located or would it be better to leave them in the already
> seperate rox.fc and change the Makefile?
>
> here are my changes:
>
> # ROX
> /usr/apps/ROX-Filer/Linux-ix86/ROX-Filer		system_u:object_r:bin_t
> /usr/apps/ROX-Session/Linux-ix86/ROX-Session		system_u:object_r:bin_t
> /usr/apps/(.*)/AppRun		system_u:object_r:bin_t

To date, we've only created a program .fc file when there is a
corresponding program domain and have used types.fc to assign general
types (like bin_t) to other files.  Hence, I think I would just append
these entries to types.fc.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Russell Coker]

On Fri, 23 Aug 2002 16:52, Stephen Smalley wrote:
> On 23 Aug 2002, Timothy Wood wrote:
> > (gnome doesn't so I don't see why ROX would).  So should I just append
> > these changes to the types.fc since that is where the generic /usr/bin
> > type is located or would it be better to leave them in the already
> > seperate rox.fc and change the Makefile?
> >
> > here are my changes:
> >
> > # ROX
> > /usr/apps/ROX-Filer/Linux-ix86/ROX-Filer		system_u:object_r:bin_t
> > /usr/apps/ROX-Session/Linux-ix86/ROX-Session		system_u:object_r:bin_t
> > /usr/apps/(.*)/AppRun		system_u:object_r:bin_t
>
> To date, we've only created a program .fc file when there is a
> corresponding program domain and have used types.fc to assign general
> types (like bin_t) to other files.  Hence, I think I would just append
> these entries to types.fc.

OTOH the Rox people could just make their package conform to the FHS...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new file contexts

[Timothy Wood]

> 
> OTOH the Rox people could just make their package conform to the FHS...
> 

True, but until it does...

Timothy,




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.