selinux-policy package versioning change
by Zdenek Pytela
Hi,
We plan to change the versioning scheme of the selinux-policy packages.
Based on a request to using tags in selinux-policy github repo, we
discussed further actions and possible automation and decided to couple the
tags with the package version, together with making a change for better
comprehensibility.
So far, the package version changed with branching a new Fedora release off
rawhide (e. g. 3.14.6 to 3.14.7), and the release part of the NVR scheme
was used for updates (3.14.7-1). After the change, the version would
contain the Fedora branch number and the sequential number of the package
in the branch (34.1), and the release part would be used only for changes
in packaging (34.1-1). It would apply to Fedora 34 and newer.
In github repo, tags matching the Fedora package version would be used
(v34.1), pairing the latest commit in github with the latest commit in the
package (34.1-1).
We do not expect any impact to end users neither to developers unless the
exact version was used somewhere. If there are no objections, we will make
the change in a week time.
Cheers,
--
Zdenek Pytela
SELinux team
2 years, 11 months
Failed to resolve filecon statement
by Daniel Skip
I've gotten this message in the past with SElinux and was able to figure it out but since I've taken a few years break from SElinux and now just getting back into it.....I am stumped on how to fix the issue. Basically, I made a simple script and am trying to confine that simple script but have run into this error. Here is the full error:
Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/testscript/cil:39 /usr/sbin/semodule: Failed!
I'll link you my files from Github. Everything is the same except I just changed the name from "myscript" to "testscript." Any help is greatly appreciated, thank you.
https://github.com/dtdevore64/myscript
2 years, 12 months
Why won't it let me transition from a staff_r role to a sysadm_r role?
by Daniel Skip
Every time I run the command "sudo id -Z" it still says I am in the staff_r role when I should be in the sysadm_r role because that's how I set it up in my /etc/sudoers file which looks like this:
daniel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL
Furthermore, can anyone tell me what the best way to utilize RBAC on the targeted policy would be? I was looking at using the secadm_r for only installing policy instead of letting any other role do that but it looks like that would only work if I transitioned my system to a MLS system. Any ideas or help would be greatly appreciated.
2 years, 12 months
how to influence the label of files generated by an appliaction
by SZIGETVÁRI János
Dear Members,
I am maintaining a SELinux policy module for an application (A) and one of
its submodules (B).
By now I have reached a point where all the rules seem to be in place, and
both A and B processes transition to their respective process labels, and
have their associated file types, the related permissions and file paths
set up.
My problem is that even though a process of B is running with the B process
label, it is supposed to create some files and directories of its own under
a directory that has a label related to A. The B process has the necessary
rights to create those directories and files underneath the directory with
the label belonging to A. The problem is that the files created by the
process B will not be created with the file label belonging to B, but seem
to inherit the label from the parent directory, that has a label belonging
to A. This happens in spite of having the file contexts and paths set up
correctly in the module's fc rules.
So if I run restorecon on the files that were just created (by B, but have
a label belonging to A), it will (re)set them to the file labels I intended
them to have originally.
How can I overcome this problem? This behavior causes an ugly logical flaw
in the logical design of my SELinux modules.
Thanks in advance for any help!
Best Regards,
János Szigetvári
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Web: janos.szigetvari.com
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
3 years