* Re: new file contexts [not found] <Pine.GSO.4.33.0208231010230.20183-100000@raven> @ 2002-08-23 14:47 ` Timothy Wood 2002-08-23 14:52 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Timothy Wood @ 2002-08-23 14:47 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux В Птн, 23.08.2002, в 10:14, Stephen Smalley написал: > > On 23 Aug 2002, Timothy Wood wrote: > > > So then I am required to have a corresponding .te for my new .fc file > > correct? > > Yes, and this is typically what you want - there should be no reason to > have a program .fc file if there is no corresponding program .te file > (Where else would the program's domain and types be defined in the > policy?). If for some reason you do not have any corresponding program > .te file (this would be odd, and I'd be interested in the explanation), > you could directly edit file_contexts/type.fc to add your entries or you > could add your new .fc file to the FCFILES= definition in the > policy/Makefile. > > -- > Stephen D. Smalley, NAI Labs > ssmalley@nai.com I have a Window Manager that installs itself in /usr/apps (ROX http://rox.sourceforge.net ). I need to label all of the AppRun files in the subdirectories, as well as a few other files, in the system_u:object_r:bin_t context. I don't really need to change anything else for it to work because I relabeled them and everything runs ok. What I did was when remaking the policy didn't seem to pickup the new .fc I appended it to an existing .fc to see if it would read the changes from there. The relabeling worked after that, obviously, but I couldn't figure out why it didn't pickup my new .fc file. Though now I know it needs a .te file to look for a .fc file. At any rate, the changes I made just relabel the ROX executable files as if they were installed in the /usr/bin directory, so they really don't need their own domain (gnome doesn't so I don't see why ROX would). So should I just append these changes to the types.fc since that is where the generic /usr/bin type is located or would it be better to leave them in the already seperate rox.fc and change the Makefile? here are my changes: # ROX /usr/apps/ROX-Filer/Linux-ix86/ROX-Filer system_u:object_r:bin_t /usr/apps/ROX-Session/Linux-ix86/ROX-Session system_u:object_r:bin_t /usr/apps/(.*)/AppRun system_u:object_r:bin_t Timothy, -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: new file contexts 2002-08-23 14:47 ` new file contexts Timothy Wood @ 2002-08-23 14:52 ` Stephen Smalley 2002-08-23 16:10 ` Russell Coker 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2002-08-23 14:52 UTC (permalink / raw) To: Timothy Wood; +Cc: SELinux On 23 Aug 2002, Timothy Wood wrote: > (gnome doesn't so I don't see why ROX would). So should I just append > these changes to the types.fc since that is where the generic /usr/bin > type is located or would it be better to leave them in the already > seperate rox.fc and change the Makefile? > > here are my changes: > > # ROX > /usr/apps/ROX-Filer/Linux-ix86/ROX-Filer system_u:object_r:bin_t > /usr/apps/ROX-Session/Linux-ix86/ROX-Session system_u:object_r:bin_t > /usr/apps/(.*)/AppRun system_u:object_r:bin_t To date, we've only created a program .fc file when there is a corresponding program domain and have used types.fc to assign general types (like bin_t) to other files. Hence, I think I would just append these entries to types.fc. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: new file contexts 2002-08-23 14:52 ` Stephen Smalley @ 2002-08-23 16:10 ` Russell Coker 2002-08-23 17:03 ` Timothy Wood 0 siblings, 1 reply; 7+ messages in thread From: Russell Coker @ 2002-08-23 16:10 UTC (permalink / raw) To: Timothy Wood; +Cc: SELinux On Fri, 23 Aug 2002 16:52, Stephen Smalley wrote: > On 23 Aug 2002, Timothy Wood wrote: > > (gnome doesn't so I don't see why ROX would). So should I just append > > these changes to the types.fc since that is where the generic /usr/bin > > type is located or would it be better to leave them in the already > > seperate rox.fc and change the Makefile? > > > > here are my changes: > > > > # ROX > > /usr/apps/ROX-Filer/Linux-ix86/ROX-Filer system_u:object_r:bin_t > > /usr/apps/ROX-Session/Linux-ix86/ROX-Session system_u:object_r:bin_t > > /usr/apps/(.*)/AppRun system_u:object_r:bin_t > > To date, we've only created a program .fc file when there is a > corresponding program domain and have used types.fc to assign general > types (like bin_t) to other files. Hence, I think I would just append > these entries to types.fc. OTOH the Rox people could just make their package conform to the FHS... -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: new file contexts 2002-08-23 16:10 ` Russell Coker @ 2002-08-23 17:03 ` Timothy Wood 0 siblings, 0 replies; 7+ messages in thread From: Timothy Wood @ 2002-08-23 17:03 UTC (permalink / raw) To: Russell Coker; +Cc: SELinux > > OTOH the Rox people could just make their package conform to the FHS... > True, but until it does... Timothy, -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* new file contexts @ 2002-08-23 13:46 Timothy Wood 2002-08-23 13:50 ` Stephen Smalley 2002-08-23 14:17 ` Russell Coker 0 siblings, 2 replies; 7+ messages in thread From: Timothy Wood @ 2002-08-23 13:46 UTC (permalink / raw) To: SELinux When you make a new file in the policy/file_contexts/program directory do you have to specify the new file somewhere so that it gets compiled into the policy or should it just pickup the new file automatically? Timothy, -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: new file contexts 2002-08-23 13:46 Timothy Wood @ 2002-08-23 13:50 ` Stephen Smalley 2002-08-23 14:17 ` Russell Coker 1 sibling, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2002-08-23 13:50 UTC (permalink / raw) To: Timothy Wood; +Cc: SELinux On 23 Aug 2002, Timothy Wood wrote: > When you make a new file in the policy/file_contexts/program directory > do you have to specify the new file somewhere so that it gets compiled > into the policy or should it just pickup the new file automatically? The policy/Makefile automatically includes up a program .fc file into the file contexts configuration for each program .te file that exists under domains/program. This approach is designed to permit users to remove program .te files for programs that they do not run and have the corresponding .fc files automatically ignored. However, you may encounter problems in selectively removing program .te files, since there may be other .te files that have dependencies on them. We are trying to wrap all such inter-domain dependencies with m4 ifdefs, but that is not yet complete. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: new file contexts 2002-08-23 13:46 Timothy Wood 2002-08-23 13:50 ` Stephen Smalley @ 2002-08-23 14:17 ` Russell Coker 1 sibling, 0 replies; 7+ messages in thread From: Russell Coker @ 2002-08-23 14:17 UTC (permalink / raw) To: Timothy Wood, SELinux On Fri, 23 Aug 2002 15:46, Timothy Wood wrote: > When you make a new file in the policy/file_contexts/program directory > do you have to specify the new file somewhere so that it gets compiled > into the policy or should it just pickup the new file automatically? Following from Stephen's response, the main problems at the moment regarding dependencies are xdm.te depending on xserver.te, sendmail.te conflicting with other mail servers (in my policy at least - Steve may have fixed that for the NSA policy), and httpadm.te depending on apache.te. If you encounter any other instances of dependencies between .te files then please consider it a bug and report it here. Also the file contexts data is not compiled into the policy, the file_contexts/file_contexts file is created out of all appropriate *.fc files and is then used by the setfiles program. I'm not sure whether you misunderstood this or whether your email was just unclear, so I want to make sure there's no misunderstanding (and also to make it clear for the lurkers). -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2002-08-23 17:03 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <Pine.GSO.4.33.0208231010230.20183-100000@raven>
2002-08-23 14:47 ` new file contexts Timothy Wood
2002-08-23 14:52 ` Stephen Smalley
2002-08-23 16:10 ` Russell Coker
2002-08-23 17:03 ` Timothy Wood
2002-08-23 13:46 Timothy Wood
2002-08-23 13:50 ` Stephen Smalley
2002-08-23 14:17 ` Russell Coker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.