-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/04/2010 09:24 PM, Jorge Fábregas wrote:
On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote:
> cd /etc
> rm hosts
> touch hosts
>
> ls -lZ /etc/hosts
> (it shows etc_t as its type)
>
> If I do a restorecon of the hosts file I'll get the correct net_conf_t for
> the file.
Ok, I kept searching... Is it because, in order for the touch command (bin_t)
to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing
this should have existed? If there's no rule, the default is to use the label
of the parent directory?
Exactly.
so lets assume your domain type shows unconfined_t if you id -Z. You run
touch which is a helper app with type bin_t. That is a type for
executable file that are (usually) not an entry point to any domain. So
you run touch in the unconfined_u domain.
So you could define a file type transition:
if unconfined_t creates a file in directories with type etc_t, then
transition from type etc_t to some specified type (net_conf_t in your
example)
filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
Ofcourse then all files that you create in etc_t directories get created
with that net_conf_t type. Not what you want.
That is one reason to do a domain transition.
For example we label touch with a new defined type. we make this type a
core command executable type of lets say touch_exec_t. Now we could
define a domain transition:
if unconfined_t runs a file with type touch_exec_t, then transition from
the type unconfined_t to some specified type (for example touch_t).
Now you can specify a type transition for touch_t creating a file in
etc_t directories:
filetrans_pattern(touch_t, etc_t, net_conf_t, file)
Now when unconfined_t creates a file in etc_t directories, the file will
inherit the type of the parent directory (etc_t)
But if touch_t creates a file in etc_t directories, the type of the file
will transition from etc_t to net_conf_t.
Type transition is one of the most important concepts on type
enforcement. The main two types of transitions are as shown above:
domain type transition
file type transition
A domain type is a type of a process (subject)
A file type is a type of a file (object)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkz6p4MACgkQMlxVo39jgT8RdgCgijA9qlOfODsig5HWzOOoF/gL
i9UAoNFoFmtABpeMQ8bpseYc8CA2ORxD
=QVSO
-----END PGP SIGNATURE-----