-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
>>>>>
>>>>> P.S. On related note, how do $HOME files get their labeling?
>>
>> It depends, When all is right then files in Home get created with the
>> proper contexts by means of "type transitions" basically rules.
>>
>> example:
>>
>> if a process with type pyzor_t creates a file in a directory with type
>> user_home_dir_t then "type transition" from user_home_dir_t to
pyzor_home_t.
>>
>> But in gnome-session there is also restorecond -u watching contexts in home.
>>
>> Basically it compares contexts in home with whats defined in semanage
>> fcontext (or homedir.template) and resets contexts accordingly. (this is
>> some hack to ensure that user home dir content is labelled properly)
>
> That was my question, how do you define it in semanage fcontext?
> I see explicit references to /root/ home, but what about users home?
> Some sort of keyword/macro?
I can see this in pyzor.fc
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
But you won't find anything like this in semanage fcontext -l output. A bug?
No, home directory contexts are handled a bit different. theres a file
in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with
home directory contexts instead which gets recreated each time you build
the policy. i think its a relic of the past when we used user role
prefix to prefix our user home types. Nowadays its useful for user based
access control i guess.
>>
>>>>> # semanage fcontext -l|grep pyzor
>>>>> has reference only to
>>>>> /root/\.pyzor(/.*)? all files
system_u:object_r:pyzor_home_t:s0
>>>>>
>>>>> but, directory gets proper labeling:
>>>>>
>>>>> # ls -dZ /home/vchepkov/.pyzor
>>>>> drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0
/home/vchepkov/.pyzor
>>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0bItsACgkQMlxVo39jgT+lqQCfUAqcVLBaHYhwjTf1KtPcd7p6
TEIAoL6IAzWx6/BhVEjIWbb6hnKh2qNZ
=rpyZ
-----END PGP SIGNATURE-----