problem setting the security context of directories vs files

All of lore.kernel.org
 help / color / mirror / Atom feed

* problem setting the security context of directories vs files
@ 2007-06-19 16:34 Clarkson, Mike R (US SSA)
  2007-06-19 17:06 ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Clarkson, Mike R (US SSA) @ 2007-06-19 16:34 UTC (permalink / raw)
  To: selinux

I'm having trouble setting the security context of directories using
file contexts. It seems to be working fine for files, but not
directories.

I have a module named import. Here is a copy of my import.fc file:

/m2ds/import	--	gen_context(system_u:object_r:import_dir_t,s0)
/m2ds/import/datasources	--
gen_context(system_u:object_r:import_dir_t,s0)
/m2ds/import/stage	--
gen_context(system_u:object_r:import_stage_t,s0)
/m2ds/import/junk	--
gen_context(system_u:object_r:import_dir_t,s0)
/home/m2/SimulatedImport/bin/SimulatedImport	--
gen_context(system_u:object_r:import_exec_t,s0)
/home/m2/SimulatedImport/bin/SimulatedImport_Server	--
gen_context(system_u:object_r:import_exec_t,s0)

"/m2ds/import" is a directory.
"/m2ds/import/datasources" is a directory.
"/m2ds/import/junk" is a file.

In the /m2ds directory, I do the following sequence of commands: 

> restorecon -R import
> ls -dZ import
drwxr-xr-x  root root system_u:object_r:default_t:SystemLow import
> cd import
> ls -Z
drwxr-xr-x  root root system_u:object_r:default_t:SystemLow datasources
-rw-r--r--  root root system_u:object_r:import_dir_t:SystemLow junk
drwxr-x---  root root system_u:object_r:default_t:SystemLow stage

As can be seen from the output above, the "/m2ds/import/junk" file has a
type of import_dir_t as specified in the file context file. But the
"/m2ds/import", "/m2ds/import/datasources", and "/m2ds/import/stage"
directories all have the default_t type, instead of the types specified
in the file context file.

Am I doing something wrong?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: problem setting the security context of directories vs files
  2007-06-19 16:34 problem setting the security context of directories vs files Clarkson, Mike R (US SSA)
@ 2007-06-19 17:06 ` James Carter
  2007-06-19 17:21   ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2007-06-19 17:06 UTC (permalink / raw)
  To: Clarkson, Mike R (US SSA); +Cc: selinux

On Tue, 2007-06-19 at 09:34 -0700, Clarkson, Mike R (US SSA) wrote:
> I'm having trouble setting the security context of directories using
> file contexts. It seems to be working fine for files, but not
> directories.
> 
> I have a module named import. Here is a copy of my import.fc file:
> 
> /m2ds/import	--	gen_context(system_u:object_r:import_dir_t,s0)
> /m2ds/import/datasources	--
> gen_context(system_u:object_r:import_dir_t,s0)
> /m2ds/import/stage	--
> gen_context(system_u:object_r:import_stage_t,s0)
> /m2ds/import/junk	--
> gen_context(system_u:object_r:import_dir_t,s0)
> /home/m2/SimulatedImport/bin/SimulatedImport	--
> gen_context(system_u:object_r:import_exec_t,s0)
> /home/m2/SimulatedImport/bin/SimulatedImport_Server	--
> gen_context(system_u:object_r:import_exec_t,s0)
> 
> 
Use "-d" for directories, instead of "--".

The obscure options available to use are:
-b	block
-c	character
-d 	directory
-p	pipe
-l	link
-s	socket
--	regular


-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: problem setting the security context of directories vs files
  2007-06-19 17:06 ` James Carter
@ 2007-06-19 17:21   ` Daniel J Walsh
  2007-06-19 19:17     ` Clarkson, Mike R (US SSA)
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2007-06-19 17:21 UTC (permalink / raw)
  To: jwcart2; +Cc: Clarkson, Mike R (US SSA), selinux

James Carter wrote:
> On Tue, 2007-06-19 at 09:34 -0700, Clarkson, Mike R (US SSA) wrote:
>   
>> I'm having trouble setting the security context of directories using
>> file contexts. It seems to be working fine for files, but not
>> directories.
>>
>> I have a module named import. Here is a copy of my import.fc file:
>>
>> /m2ds/import	--	gen_context(system_u:object_r:import_dir_t,s0)
>> /m2ds/import/datasources	--
>> gen_context(system_u:object_r:import_dir_t,s0)
>> /m2ds/import/stage	--
>> gen_context(system_u:object_r:import_stage_t,s0)
>> /m2ds/import/junk	--
>> gen_context(system_u:object_r:import_dir_t,s0)
>> /home/m2/SimulatedImport/bin/SimulatedImport	--
>> gen_context(system_u:object_r:import_exec_t,s0)
>> /home/m2/SimulatedImport/bin/SimulatedImport_Server	--
>> gen_context(system_u:object_r:import_exec_t,s0)
>>
>>
>>     
> Use "-d" for directories, instead of "--".
>
> The obscure options available to use are:
> -b	block
> -c	character
> -d 	directory
> -p	pipe
> -l	link
> -s	socket
> --	regular
>
>
>   
"  " matches all.
"-" followed by the first character output by 'ls -l'.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: problem setting the security context of directories vs files
  2007-06-19 17:21   ` Daniel J Walsh
@ 2007-06-19 19:17     ` Clarkson, Mike R (US SSA)
  2007-06-19 19:43       ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Clarkson, Mike R (US SSA) @ 2007-06-19 19:17 UTC (permalink / raw)
  To: Daniel J Walsh, jwcart2; +Cc: selinux

Is there a way to apply a context recursively to all subdirectories
below a directory?

For instance, I'd like to label all subdirectories below
"/m2ds/import/stage" as system_u:object_r:import_dir_t:s0, without
explicitly having to list each one (because I'm lazy)

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: Tuesday, June 19, 2007 10:22 AM
> To: jwcart2@epoch.ncsc.mil
> Cc: Clarkson, Mike R (US SSA); selinux@tycho.nsa.gov
> Subject: Re: problem setting the security context of directories vs
files
> 
> James Carter wrote:
> > On Tue, 2007-06-19 at 09:34 -0700, Clarkson, Mike R (US SSA) wrote:
> >
> >> I'm having trouble setting the security context of directories
using
> >> file contexts. It seems to be working fine for files, but not
> >> directories.
> >>
> >> I have a module named import. Here is a copy of my import.fc file:
> >>
> >> /m2ds/import	--
gen_context(system_u:object_r:import_dir_t,s0)
> >> /m2ds/import/datasources	--
> >> gen_context(system_u:object_r:import_dir_t,s0)
> >> /m2ds/import/stage	--
> >> gen_context(system_u:object_r:import_stage_t,s0)
> >> /m2ds/import/junk	--
> >> gen_context(system_u:object_r:import_dir_t,s0)
> >> /home/m2/SimulatedImport/bin/SimulatedImport	--
> >> gen_context(system_u:object_r:import_exec_t,s0)
> >> /home/m2/SimulatedImport/bin/SimulatedImport_Server	--
> >> gen_context(system_u:object_r:import_exec_t,s0)
> >>
> >>
> >>
> > Use "-d" for directories, instead of "--".
> >
> > The obscure options available to use are:
> > -b	block
> > -c	character
> > -d 	directory
> > -p	pipe
> > -l	link
> > -s	socket
> > --	regular
> >
> >
> >
> "  " matches all.
> "-" followed by the first character output by 'ls -l'.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: problem setting the security context of directories vs files
  2007-06-19 19:17     ` Clarkson, Mike R (US SSA)
@ 2007-06-19 19:43       ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2007-06-19 19:43 UTC (permalink / raw)
  To: Clarkson, Mike R (US SSA); +Cc: jwcart2, selinux

Clarkson, Mike R (US SSA) wrote:
> Is there a way to apply a context recursively to all subdirectories
> below a directory?
>
> For instance, I'd like to label all subdirectories below
> "/m2ds/import/stage" as system_u:object_r:import_dir_t:s0, without
> explicitly having to list each one (because I'm lazy)
>
>   
/m2ds/import/stage(/.*)?   gen_context(system_u:object_r:import_dir_t:s0)

Will get everything

/m2ds/import/stage(/.*)?  -d  gen_context(system_u:object_r:import_dir_t:s0)

Will get only directories.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-06-19 19:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-19 16:34 problem setting the security context of directories vs files Clarkson, Mike R (US SSA)
2007-06-19 17:06 ` James Carter
2007-06-19 17:21   ` Daniel J Walsh
2007-06-19 19:17     ` Clarkson, Mike R (US SSA)
2007-06-19 19:43       ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.