[selinux] SElinux newbie question
Petr Lautrbach
plautrba at redhat.com
Fri Oct 16 05:08:21 UTC 2015
On 10/15/2015 06:37 PM, David Li wrote:
> Petr,
>
> Thanks for the suggestion and it worked this time by adding -F flag.
>
> $ ls -Z /usr/sbin/myapp
> -rwxr-xr-x. root root system_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp
>
> I am also wondering if the following is equivalent to fixfiles -F:
>
> touch /.autorelabel
> reboot
You need to use the -F flag in this case as well:
echo '-F' > /.autorelabel
reboot
Petr
>
> Thanks.
>
> On Thu, Oct 15, 2015 at 1:36 AM, Petr Lautrbach <plautrba at redhat.com> wrote:
>> On 10/15/2015 01:57 AM, David Li wrote:
>>> My next question is why my file isn't labelled correctly.
>>>
>>> My .fc file has the label defined as:
>>>
>>> /usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
>>>
>>> After install the targeted RPM and relabel by using fixfiles relabel,
>>> the file "/usr/sbin/myapp" looks like this:
>>>
>>> $ ls -Z /usr/sbin/myapp
>>> -rwxr-xr-x. root root unconfined_u:object_r:myapp_exec_t:s0 /usr/sbin/myapp
>>>
>>> So the domain has been labeled correctly but the user now becomes
>>> "unconfined". Why?
>>
>>
>> fixfiles uses restorecon command without the force flag by default. It
>> means that only a type of file is modified. If you want to enforce a
>> replacement of the entire context, you should use -F option:
>>
>> # fixfiles -F relabel
>>
>>
>>
>>
>> Petr
>>
>>
>>> On Wed, Oct 14, 2015 at 4:46 PM, David Li <dlipubkey at gmail.com> wrote:
>>>> Robin,
>>>> yep, that worked!
>>>> My policy is actually built into the targeted RPM. So I don't need to
>>>> do semodule again.
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> On Wed, Oct 14, 2015 at 3:55 PM, Robin Lee Powell
>>>> <rlpowell at digitalkingdom.org> wrote:
>>>>> Assuming CentOS is the same as Fedora in this regard, you'll want
>>>>> selinux-policy-targeted (which is the normal SELinux user policy)
>>>>> and whatever package includes /usr/share/selinux/devel/Makefile
>>>>> (which is how you make modules; make a directory with only your .te
>>>>> and maybe .fc file, and run: /usr/bin/make -f
>>>>> /usr/share/selinux/devel/Makefile , and then semodule -i modname.pp )
>>>>>
>>>>> On Wed, Oct 14, 2015 at 03:41:18PM -0700, David Li wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am using CentOS 7.1 and just built the following new Selinux policy
>>>>>> RPMs. I wonder which one I should use in install. Or do I need to
>>>>>> install all of them?
>>>>>>
>>>>>> My purpose is to test a simple policy that I wrote.
>>>>>>
>>>>>>
>>>>>> [admin at localhost noarch]$ ll
>>>>>> total 8996
>>>>>> -rw-rw-r--. 1 admin admin 361920 Oct 14 11:47
>>>>>> selinux-policy-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 3467872 Oct 14 11:47
>>>>>> selinux-policy-devel-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 917644 Oct 14 11:47
>>>>>> selinux-policy-doc-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 365812 Oct 14 11:47
>>>>>> selinux-policy-sandbox-3.13.1-23.el7.centos.noarch.rpm
>>>>>> -rw-rw-r--. 1 admin admin 4084412 Oct 14 11:47
>>>>>> selinux-policy-targeted-3.13.1-23.el7.centos.noarch.rpm
>>>>>>
>>>>>> Thanks.
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux at lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20151016/a8700969/attachment.sig>
More information about the selinux
mailing list