On 03/26/2015 04:17 PM, Jayson Hurst wrote:
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
> Date: Wed, 25 Mar 2015 09:32:32 +0100
> From: mgrepl(a)redhat.com
> To: swazup(a)hotmail.com; selinux(a)lists.fedoraproject.org
> Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
>
> On 03/24/2015 10:45 PM, Jayson Hurst wrote:
> > I need to create a directory in a C binary.
> >
> > I am currently doing something similar to this:
> >
> >
> >
> > status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
S_IXOTH);
> >
> >
> >
> > But when the directory is created it ends up with the wrong SELinux
context. It inherits it's parent's context and
> >
> > not the one defined in file context.
>
> What is your OS?
>
> >
> >
> >
> > Is there a C call that can be used that understands how to correctly
create and label SElinux directories?
> >
> >
> >
> > --
> > selinux mailing list
> > selinux(a)lists.fedoraproject.org
> >
https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
>
> --
> Miroslav Grepl
> Software Engineering, SELinux Solutions
> Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t
or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond
on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf
/etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.