* How does matchpathcon/setfiles work? @ 2014-06-01 15:19 dE 2014-06-02 6:42 ` Sven Vermeulen 0 siblings, 1 reply; 5+ messages in thread From: dE @ 2014-06-01 15:19 UTC (permalink / raw) To: selinux As we know, policies don't contain paths. So the working of matchpathcon/setfiles must be based on common sense. It looks like it knows certain special folders and it's appropriate security context, for e.g. home folder contents should have files with user_home_t and suggests the correct SELinux user for the files/directories based on which user's home folder is it. Other directories/files should have the same security context as the parent directory, like with /opt. Is this correct? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How does matchpathcon/setfiles work? 2014-06-01 15:19 How does matchpathcon/setfiles work? dE @ 2014-06-02 6:42 ` Sven Vermeulen 2014-06-02 9:57 ` dE 0 siblings, 1 reply; 5+ messages in thread From: Sven Vermeulen @ 2014-06-02 6:42 UTC (permalink / raw) To: dE; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1133 bytes --] Policies do contain paths. They contain path expressions to be more precise. During policy load, the path expressions together with the target contexts are extracted and placed in /etc/selinux/mcs/contexts/files/file_contexts, which is where tools like matchpathcon get their information from. Wkr, Sven Vermeulen On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com> wrote: > As we know, policies don't contain paths. So the working of > matchpathcon/setfiles must be based on common sense. > > It looks like it knows certain special folders and it's appropriate > security context, for e.g. home folder contents should have files with > user_home_t and suggests the correct SELinux user for the files/directories > based on which user's home folder is it. > > Other directories/files should have the same security context as the > parent directory, like with /opt. > > Is this correct? > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > [-- Attachment #2: Type: text/html, Size: 1669 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How does matchpathcon/setfiles work? 2014-06-02 6:42 ` Sven Vermeulen @ 2014-06-02 9:57 ` dE 2014-06-02 13:20 ` Stephen Smalley 0 siblings, 1 reply; 5+ messages in thread From: dE @ 2014-06-02 9:57 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 1118 bytes --] On 06/02/14 12:12, Sven Vermeulen wrote: > > Policies do contain paths. They contain path expressions to be more > precise. > > During policy load, the path expressions together with the target > contexts are extracted and placed in > /etc/selinux/mcs/contexts/files/file_contexts, which is where tools > like matchpathcon get their information from. > > Wkr, > Sven Vermeulen > > On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com > <mailto:de.techno@gmail.com>> wrote: > > As we know, policies don't contain paths. So the working of > matchpathcon/setfiles must be based on common sense. > > It looks like it knows certain special folders and it's > appropriate security context, for e.g. home folder contents should > have files with user_home_t and suggests the correct SELinux user > for the files/directories based on which user's home folder is it. > > Other directories/files should have the same security context as > the parent directory, like with /opt. > > Is this correct? > Do the paths have any other purpose other than defining the default security context? [-- Attachment #2: Type: text/html, Size: 1928 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How does matchpathcon/setfiles work? 2014-06-02 9:57 ` dE @ 2014-06-02 13:20 ` Stephen Smalley 2014-06-02 18:25 ` dE 0 siblings, 1 reply; 5+ messages in thread From: Stephen Smalley @ 2014-06-02 13:20 UTC (permalink / raw) To: dE, selinux On 06/02/2014 05:57 AM, dE wrote: > On 06/02/14 12:12, Sven Vermeulen wrote: >> >> Policies do contain paths. They contain path expressions to be more >> precise. >> >> During policy load, the path expressions together with the target >> contexts are extracted and placed in >> /etc/selinux/mcs/contexts/files/file_contexts, which is where tools >> like matchpathcon get their information from. >> >> Wkr, >> Sven Vermeulen >> >> On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com >> <mailto:de.techno@gmail.com>> wrote: >> >> As we know, policies don't contain paths. So the working of >> matchpathcon/setfiles must be based on common sense. >> >> It looks like it knows certain special folders and it's >> appropriate security context, for e.g. home folder contents should >> have files with user_home_t and suggests the correct SELinux user >> for the files/directories based on which user's home folder is it. >> >> Other directories/files should have the same security context as >> the parent directory, like with /opt. >> >> Is this correct? >> > > Do the paths have any other purpose other than defining the default > security context? No, and they are not part of the kernel policy, only used by userspace programs like setfiles, udev, package managers like rpm/dpkg, etc. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How does matchpathcon/setfiles work? 2014-06-02 13:20 ` Stephen Smalley @ 2014-06-02 18:25 ` dE 0 siblings, 0 replies; 5+ messages in thread From: dE @ 2014-06-02 18:25 UTC (permalink / raw) To: selinux On 06/02/14 18:50, Stephen Smalley wrote: > On 06/02/2014 05:57 AM, dE wrote: >> On 06/02/14 12:12, Sven Vermeulen wrote: >>> Policies do contain paths. They contain path expressions to be more >>> precise. >>> >>> During policy load, the path expressions together with the target >>> contexts are extracted and placed in >>> /etc/selinux/mcs/contexts/files/file_contexts, which is where tools >>> like matchpathcon get their information from. >>> >>> Wkr, >>> Sven Vermeulen >>> >>> On Jun 1, 2014 5:48 PM, "dE" <de.techno@gmail.com >>> <mailto:de.techno@gmail.com>> wrote: >>> >>> As we know, policies don't contain paths. So the working of >>> matchpathcon/setfiles must be based on common sense. >>> >>> It looks like it knows certain special folders and it's >>> appropriate security context, for e.g. home folder contents should >>> have files with user_home_t and suggests the correct SELinux user >>> for the files/directories based on which user's home folder is it. >>> >>> Other directories/files should have the same security context as >>> the parent directory, like with /opt. >>> >>> Is this correct? >>> >> Do the paths have any other purpose other than defining the default >> security context? > No, and they are not part of the kernel policy, only used by userspace > programs like setfiles, udev, package managers like rpm/dpkg, etc. > Yes, the file belongs to selinux-policy-targeted ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-06-02 18:27 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-06-01 15:19 How does matchpathcon/setfiles work? dE 2014-06-02 6:42 ` Sven Vermeulen 2014-06-02 9:57 ` dE 2014-06-02 13:20 ` Stephen Smalley 2014-06-02 18:25 ` dE
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.