From: Daniel J Walsh <dwalsh@redhat.com>
To: Laurent Jacquot <jk@lutty.net>
Cc: fedora-selinux-list <fedora-selinux-list@redhat.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: files contexts override via policy module
Date: Tue, 20 Nov 2007 09:56:28 -0500 [thread overview]
Message-ID: <4742F59C.1050405@redhat.com> (raw)
In-Reply-To: <1195568139.10117.4.camel@jack.lutty.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Laurent Jacquot wrote:
> Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Laurent Jacquot wrote:
>>> Hello,
>>> I am sure this is a FAQ or a feature, but I want to know how to work
>>> around:
>>>
>>> I have cxoffice installed in my F8 home dir and I want some lib labeled
>>> as textrel_shlib_t, but I cannot override the default user_home_t home
>>> label via a policy module.
>>>
>>> NOTE1 it works if the directory is not under /home
>>> NOTE2 there is nothing in the logs if it fails
>>> NOTE3 It has been so since the introduction of modular policy in selinux
>>>
>>> What is what I have tried so far in F8.
>>> [root@jack sel]#cat local.fc
>>> #cxoffice
>>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
>>> system_u:object_r:textrel_shlib_t:s0
>>>
>>> /home/alex/cxoffice/lib/wine/kernel32.dll.so --
>>> system_u:object_r:textrel_shlib_t:s0
>>>
>>> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
>>> [root@jack sel]#semodule -i local.pp
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>>
>>>
>>> (If i use the system-config-selinux UI, I can see the new entry in the
>>> tab context among all the regexp)
>>>
>>> Using semanage, it works:
>>> [root@jack sel]#semodule -r local
>>> [root@jack sel]#semanage fcontext -a -t
>>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>>
>>> and the custom rule appears in system-config-selinux UI at the end of
>>> the policy.
>>>
>>> So how do I have my module install my contexts the same way as semanage?
>>> Should I bugzilla it?
>>>
>>> BTW, how do system-config-selinux browse the file context policy? Is it
>>> possible to see also the rules and type definition?
>>>
>>> TIA
>>> jk
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> This looks like a bug in libsemanage or in the file context labeling
>> algorithm.
>>
>> I believe matchpatcon is reading in file_contexts,
>> file_contexts.homedirs, file_contexts.local and taking the last entry.
>>
>>
>> So using semodule to add a pp file updates the file_contexts file, in
>> which case the homedirs is overriding. semanage fcontext updates the
>> file_contexts.local.
>>
>>
>> If you tried
>>
>> HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
>> system_u:object_r:textrel_shlib_t:s0
>>
>> It should update the file_context.homedirs file.
>>
>>
> I confirm this works. Thanks!
> Should I bugzilla it or is it the way it should be?
>
> jk
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can bugzilla it, but it probably should be brought up for discussion
on the <selinux@tycho.nsa.gov> list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS
8zDcYbim3RQLRTEHILlfEtw=
=LxQ0
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
parent reply other threads:[~2007-11-20 14:57 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <1195568139.10117.4.camel@jack.lutty.net>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4742F59C.1050405@redhat.com \
--to=dwalsh@redhat.com \
--cc=fedora-selinux-list@redhat.com \
--cc=jk@lutty.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.