priority between file context rules
Vidalie Hervé
herve.vidalie at worldline.com
Thu Dec 12 10:19:20 UTC 2013
Thank you all for your answers
-----Message d'origine-----
De : Dominick Grift [mailto:dominick.grift at gmail.com]
Envoyé : jeudi 5 décembre 2013 17:26
À : Vidalie Hervé
Cc : Daniel J Walsh; Bruno Wolff III; selinux at lists.fedoraproject.org
Objet : Re: priority between file context rules
On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote:
> Hello,
>
> Thank you for your answers.
>
> I have two remaining questions:
> -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files?
> -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
>
I will give you an example
For example lets say i want to create a policy package that associates
system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything
below it.
cat > mywww.te <<EOF
policy_module(mywww, 1.0.0)
gen_require(\` type httpd_sys_content_t ')
EOF
The above creates a file with name mywww.te
The first line declares a new policy module of name mywww with version
1.0.0
The second line imports the httpd_sys_content_t type identifier.
Type identifiers that are declared outside of this module need to be
imported to this module before we can use it
The system_u, object_r, and s0 identifiers do not need to be imported
because they are core identifiers that are automatically imported when
you declare a policy module (the first line)
cat > mywww.fc <<EOF
/mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0
EOF
The above creates a file with name mywww.fc
The line in this file specified the file context
It associates the security context of
system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything
below it
The (/.*)? is a posix regular expression statement
make -f /usr/share/selinux/devel/Makefile mywww.pp
The above command creates a mywww.pp file
This is a policy package that we can use to load the policy into the
system
sudo semodule -i mywww.pp
The above command loads the policy package into the system. This will be
persistent
To remove it:
sudo semodule -r mywww
See man semodule for more details on how to manage policy packages
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
More information about the selinux
mailing list