How does matchpathcon/setfiles work?

How does matchpathcon/setfiles work?

[dE]

As we know, policies don't contain paths. So the working of 
matchpathcon/setfiles must be based on common sense.

It looks like it knows certain special folders and it's appropriate 
security context, for e.g. home folder contents should have files with 
user_home_t and suggests the correct SELinux user for the 
files/directories based on which user's home folder is it.

Other directories/files should have the same security context as the 
parent directory, like with /opt.

Is this correct?

Re: How does matchpathcon/setfiles work?

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

Policies do contain paths. They contain path expressions to be more precise.

During policy load, the path expressions together with the target contexts
are extracted and placed in /etc/selinux/mcs/contexts/files/file_contexts,
which is where tools like matchpathcon get their information from.

Wkr,
  Sven Vermeulen
On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com> wrote:

> As we know, policies don't contain paths. So the working of
> matchpathcon/setfiles must be based on common sense.
>
> It looks like it knows certain special folders and it's appropriate
> security context, for e.g. home folder contents should have files with
> user_home_t and suggests the correct SELinux user for the files/directories
> based on which user's home folder is it.
>
> Other directories/files should have the same security context as the
> parent directory, like with /opt.
>
> Is this correct?
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

[-- Attachment #2: Type: text/html, Size: 1669 bytes --]

Re: How does matchpathcon/setfiles work?

[dE]

[-- Attachment #1: Type: text/plain, Size: 1118 bytes --]

On 06/02/14 12:12, Sven Vermeulen wrote:
>
> Policies do contain paths. They contain path expressions to be more 
> precise.
>
> During policy load, the path expressions together with the target 
> contexts are extracted and placed in 
> /etc/selinux/mcs/contexts/files/file_contexts, which is where tools 
> like matchpathcon get their information from.
>
> Wkr,
>   Sven Vermeulen
>
> On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com 
> <mailto:de.techno@gmail.com>> wrote:
>
>     As we know, policies don't contain paths. So the working of
>     matchpathcon/setfiles must be based on common sense.
>
>     It looks like it knows certain special folders and it's
>     appropriate security context, for e.g. home folder contents should
>     have files with user_home_t and suggests the correct SELinux user
>     for the files/directories based on which user's home folder is it.
>
>     Other directories/files should have the same security context as
>     the parent directory, like with /opt.
>
>     Is this correct?
>

Do the paths have any other purpose other than defining the default 
security context?

[-- Attachment #2: Type: text/html, Size: 1928 bytes --]

Re: How does matchpathcon/setfiles work?

[Stephen Smalley]

On 06/02/2014 05:57 AM, dE wrote:
> On 06/02/14 12:12, Sven Vermeulen wrote:
>>
>> Policies do contain paths. They contain path expressions to be more
>> precise.
>>
>> During policy load, the path expressions together with the target
>> contexts are extracted and placed in
>> /etc/selinux/mcs/contexts/files/file_contexts, which is where tools
>> like matchpathcon get their information from.
>>
>> Wkr,
>>   Sven Vermeulen
>>
>> On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com
>> <mailto:de.techno@gmail.com>> wrote:
>>
>>     As we know, policies don't contain paths. So the working of
>>     matchpathcon/setfiles must be based on common sense.
>>
>>     It looks like it knows certain special folders and it's
>>     appropriate security context, for e.g. home folder contents should
>>     have files with user_home_t and suggests the correct SELinux user
>>     for the files/directories based on which user's home folder is it.
>>
>>     Other directories/files should have the same security context as
>>     the parent directory, like with /opt.
>>
>>     Is this correct?
>>
> 
> Do the paths have any other purpose other than defining the default
> security context?

No, and they are not part of the kernel policy, only used by userspace
programs like setfiles, udev, package managers like rpm/dpkg, etc.

Re: How does matchpathcon/setfiles work?

[dE]

On 06/02/14 18:50, Stephen Smalley wrote:
> On 06/02/2014 05:57 AM, dE wrote:
>> On 06/02/14 12:12, Sven Vermeulen wrote:
>>> Policies do contain paths. They contain path expressions to be more
>>> precise.
>>>
>>> During policy load, the path expressions together with the target
>>> contexts are extracted and placed in
>>> /etc/selinux/mcs/contexts/files/file_contexts, which is where tools
>>> like matchpathcon get their information from.
>>>
>>> Wkr,
>>>    Sven Vermeulen
>>>
>>> On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com
>>> <mailto:de.techno@gmail.com>> wrote:
>>>
>>>      As we know, policies don't contain paths. So the working of
>>>      matchpathcon/setfiles must be based on common sense.
>>>
>>>      It looks like it knows certain special folders and it's
>>>      appropriate security context, for e.g. home folder contents should
>>>      have files with user_home_t and suggests the correct SELinux user
>>>      for the files/directories based on which user's home folder is it.
>>>
>>>      Other directories/files should have the same security context as
>>>      the parent directory, like with /opt.
>>>
>>>      Is this correct?
>>>
>> Do the paths have any other purpose other than defining the default
>> security context?
> No, and they are not part of the kernel policy, only used by userspace
> programs like setfiles, udev, package managers like rpm/dpkg, etc.
>

Yes, the file belongs to selinux-policy-targeted