Where's the class defined in file_contexts*

Where's the class defined in file_contexts*

[dE]

The default security context of a object also depends on it's class.

I was looking at 
etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*, but I couldn't 
see any definition of a class.

Also semanage fcontext doesn't have an option define a class. Entries 
are based only on files and directories.

If you get red text in this email please notify.

Re: Where's the class defined in file_contexts*

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 837 bytes --]

It is defined through the "middle" column. For instance, -- is a regular
file, -l a symlink, etc.

These can de defined with "semanage fcontext" as well.

Wkr,
  Sven
On Jul 1, 2014 10:57 AM, "dE" <de.techno@gmail.com> wrote:

> The default security context of a object also depends on it's class.
>
> I was looking at etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*,
> but I couldn't see any definition of a class.
>
> Also semanage fcontext doesn't have an option define a class. Entries are
> based only on files and directories.
>
> If you get red text in this email please notify.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

[-- Attachment #2: Type: text/html, Size: 1407 bytes --]

Re: Where's the class defined in file_contexts*

[Daniel J Walsh]

On 07/01/2014 04:47 AM, dE wrote:
> The default security context of a object also depends on it's class.
>
> I was looking at
> etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*, but I
> couldn't see any definition of a class.
>
> Also semanage fcontext doesn't have an option define a class. Entries
> are based only on files and directories.
>
> If you get red text in this email please notify.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
I believe the answer to your question is:

man semanage-fcontext
...
       -f [{a,f,d,c,b,s,l,p}], --ftype [{a,f,d,c,b,s,l,p}]
              File Type. This is used with fcontext. Requires a file
type as shown in the mode field by ls, e.g. use 'd' to match only
directories
              or  'f'  to  match  only  regular  files. The following
file type options can be passed: f (regular file),d (directory),c (character
              device), b (block device),s (socket),l (symbolic link),p
(named pipe).  If you do not specify  a  file  type,  the  file  type  will
              default to "all files".

Re: Where's the class defined in file_contexts*

[Dominick Grift]

On Tue, 2014-07-01 at 14:17 +0530, dE wrote:
> The default security context of a object also depends on it's class.
> 
> I was looking at 
> etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*, but I couldn't 
> see any definition of a class.
> 
> Also semanage fcontext doesn't have an option define a class. Entries 
> are based only on files and directories.

semanage support -f

only file object classes apply to file object context specifications
obviously.

file: --
dir: -d
symbolic link: -l
named pipe: -p
sock file: -s

semanage fcontext -a ... -f -d "/test/mydir"
semanage fcontext -a ...-f -s "/test/mysocket"
semanage fcontext -a ... -f -- "/test/myfile"
... etc ...

if the file object context spec applies to any file object then you need
not specify the class:

semanage fcontext -a ... "/test/anyfileobjects(/.*)?"

So in file_contexts look for -- -d -s -l -p, if none of those are
specified then the spec applies to any file object class

> 
> If you get red text in this email please notify.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: Where's the class defined in file_contexts*

[dE]

On 07/01/14 16:12, Daniel J Walsh wrote:
> On 07/01/2014 04:47 AM, dE wrote:
>> The default security context of a object also depends on it's class.
>>
>> I was looking at
>> etc/selinux/<SELINUXTYPE>/contexts/files/file_contexts*, but I
>> couldn't see any definition of a class.
>>
>> Also semanage fcontext doesn't have an option define a class. Entries
>> are based only on files and directories.
>>
>> If you get red text in this email please notify.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
> I believe the answer to your question is:
>
> man semanage-fcontext
> ...
>         -f [{a,f,d,c,b,s,l,p}], --ftype [{a,f,d,c,b,s,l,p}]
>                File Type. This is used with fcontext. Requires a file
> type as shown in the mode field by ls, e.g. use 'd' to match only
> directories
>                or  'f'  to  match  only  regular  files. The following
> file type options can be passed: f (regular file),d (directory),c (character
>                device), b (block device),s (socket),l (symbolic link),p
> (named pipe).  If you do not specify  a  file  type,  the  file  type  will
>                default to "all files".

Thanks everyone for clarifying this.

I didnt know there existed man pages for semanage-*. It's not there in 
Fedora 19.