setfiles and /home labeling

setfiles and /home labeling

[Michael Reilly]

I know I am missing something.  These are all of the lines from
file_contexts which reference the /home directories.  Notice the two lines
which reference /home/michaelr.  After running make relabel /home/michaelr
is labeled system_u:object_r:user_home_dir_t instead of
system_u:object_r:staff_home_dir_t and all of the files in /home/michaelr
and below (except the files special cased like .ssh, etc.) are labeled
system_u:object_r:user_home_t.

Why are the two lines for /home/michaelr being ignored?  What am I doing
wrong?

Thanks,

michael
# Ordinary user home directories.
/home				system_u:object_r:home_root_t
/home/[^/]+	-d		system_u:object_r:user_home_dir_t
/home/[^/]+/.+			system_u:object_r:user_home_t
# Other staff home directories, replace "jadmin" with appropriate name
/home/michaelr/(/.*)?		system_u:object_r:staff_home_t
/home/michaelr			system_u:object_r:staff_home_dir_t
/home/\.\.\.security(/.*)?	system_u:object_r:file_labels_t
/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
/home/[^/]+/\.gnupg(/.+)?	system_u:object_r:user_gpg_secret_t
/home/[^/]+/\.netscape(/.*)?	system_u:object_r:user_netscape_rw_t
/home/[^/]+/\.mozilla(/.*)?	system_u:object_r:user_netscape_rw_t
/root/\.ssh(/.*)?		system_u:object_r:staff_home_ssh_t
/home/[^/]+/\.ssh(/.*)?		system_u:object_r:user_home_ssh_t
/home/michaelr/\.ssh(/.*)?	system_u:object_r:staff_home_ssh_t
/home/[^/]+/\.vmware(/.*)?	system_u:object_r:vmware_user_file_t
/home/[^/]+/\vmware(/.*)?       system_u:object_r:vmware_user_file_t
/home/[^/]+/\vmware[^/]*/.*\.cfg    system_u:object_r:vmware_user_conf_t
/home/[^/]+/\.Xauthority.*	system_u:object_r:user_home_xauth_t


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and /home labeling

[Russell Coker]

On Thu, 16 Oct 2003 09:01, Michael Reilly wrote:
> /home/michaelr/(/.*)?           system_u:object_r:staff_home_t
> /home/michaelr                  system_u:object_r:staff_home_dir_t

Change the above two lines to the below:

/home/michaelr/.+                 michaelr:object_r:staff_home_t
/home/michaelr           -d       michaelr:object_r:staff_home_dir_t

It should work then.  Let me know what happens.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and /home labeling

[Michael Reilly]

Thank you - I'll try that now.

BTW - this documented anywhere?  It appears to be a form of REGEXP but is
slightly different than I am used to.

michael
On Thu, 16 Oct 2003 11:30:21 +1000
Russell Coker <russell@coker.com.au> wrote:

> On Thu, 16 Oct 2003 09:01, Michael Reilly wrote:
> > /home/michaelr/(/.*)?           system_u:object_r:staff_home_t
> > /home/michaelr                  system_u:object_r:staff_home_dir_t
> 
> Change the above two lines to the below:
> 
> /home/michaelr/.+                 michaelr:object_r:staff_home_t
> /home/michaelr           -d       michaelr:object_r:staff_home_dir_t
> 
> It should work then.  Let me know what happens.
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and /home labeling

[Diyab]

Michael Reilly wrote:
> I know I am missing something.  These are all of the lines from
> file_contexts which reference the /home directories.  Notice the two lines
> which reference /home/michaelr.  After running make relabel /home/michaelr
> is labeled system_u:object_r:user_home_dir_t instead of
> system_u:object_r:staff_home_dir_t and all of the files in /home/michaelr
> and below (except the files special cased like .ssh, etc.) are labeled
> system_u:object_r:user_home_t.
> 
> Why are the two lines for /home/michaelr being ignored?  What am I doing
> wrong?
> 
> Thanks,
> 
> michael
> # Ordinary user home directories.
> /home				system_u:object_r:home_root_t
> /home/[^/]+	-d		system_u:object_r:user_home_dir_t
> /home/[^/]+/.+			system_u:object_r:user_home_t
> # Other staff home directories, replace "jadmin" with appropriate name
> /home/michaelr/(/.*)?		system_u:object_r:staff_home_t
> /home/michaelr			system_u:object_r:staff_home_dir_t

You have an extra / in the staff_home_t declaration.  Change it to read 
like this:

/home/michaelr(/.*)?		system_u:object_r:staff_home_t

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and /home labeling

[Michael Reilly]

Thank you.  I do not have the original 1.2 policy file here so I do not know if I added the extra / or if it was already there when I changed the name from jadmin to michaelr.

michael
On Wed, 15 Oct 2003 22:12:51 -0400
Diyab <diyab@diyab.net> wrote:

> Michael Reilly wrote:
> > I know I am missing something.  These are all of the lines from
> > file_contexts which reference the /home directories.  Notice the two lines
> > which reference /home/michaelr.  After running make relabel /home/michaelr
> > is labeled system_u:object_r:user_home_dir_t instead of
> > system_u:object_r:staff_home_dir_t and all of the files in /home/michaelr
> > and below (except the files special cased like .ssh, etc.) are labeled
> > system_u:object_r:user_home_t.
> > 
> > Why are the two lines for /home/michaelr being ignored?  What am I doing
> > wrong?
> > 
> > Thanks,
> > 
> > michael
> > # Ordinary user home directories.
> > /home				system_u:object_r:home_root_t
> > /home/[^/]+	-d		system_u:object_r:user_home_dir_t
> > /home/[^/]+/.+			system_u:object_r:user_home_t
> > # Other staff home directories, replace "jadmin" with appropriate name
> > /home/michaelr/(/.*)?		system_u:object_r:staff_home_t
> > /home/michaelr			system_u:object_r:staff_home_dir_t
> 
> You have an extra / in the staff_home_t declaration.  Change it to read 
> like this:
> 
> /home/michaelr(/.*)?		system_u:object_r:staff_home_t
> 
> Timothy,
> 
> -- 
> I put instant coffee in a microwave and almost went back in time.
> 		-- Steven Wright


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and /home labeling

[Stephen Smalley]

On Wed, 2003-10-15 at 19:01, Michael Reilly wrote:
> # Other staff home directories, replace "jadmin" with appropriate name
> /home/michaelr/(/.*)?		system_u:object_r:staff_home_t

This is a bug in the upstream policy entry for jadmin; extra / in the
above path prevents proper matching.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.