Paul Howarth wrote:
Stephen Smalley wrote:
> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
>>> So, my idea was to define everything under my chroot as a new type,
>>> mock_root_t, and then have a module like this:
>>>
>>> module mock 0.2;
>>>
>>> require {
>>> class file execmod;
>>>
>>> type unconfined_t;
>>> type mock_root_t;
>>> };
>> Move the mock_root_t type decl outside of the requires block.
>
> Oh, and you should really do it like this (similar to my prior
> discussion about creating a policy module for the samba issue):
> $ mkdir mock
> $ cd mock
> $ vi mock.te
> i(nsert)
> policy_module(mock, 0.2)
>
> require {
> type unconfined_t;
> };
>
> type mock_root_t;
> files_type(mock_root_t) # allow this type to be used for files
> allow unconfined_t mock_root_t:file execmod;
> :wq
> $ touch mock.if mock.fc
> $ make -f /usr/share/selinux/devel/Makefile
> $ su
> # semodule -i mock.pp
Excellent - thanks.
Now why isn't this doing what I expect:
# semanage fcontext -a -t mock_root_t \
/usr/share/fsdata/mock/'[^/]*/root(/.*)?'
# mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
# ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x paul mock user_u:object_r:usr_t result
drwxr-sr-x root mock root:object_r:usr_t root
drwxrwsr-x paul mock user_u:object_r:usr_t state
# restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root
context root:object_r:usr_t->system_u:object_r:mock_root_t
# ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
drwxrwsr-x paul mock user_u:object_r:usr_t result
drwxr-sr-x root mock system_u:object_r:mock_root_t root
drwxrwsr-x paul mock user_u:object_r:usr_t state
Why doesn't the directory
/usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type
mock_root_t in the first place rather than having to do the restorecon
on it?
You need to tell mkdir which context to create it with or write a
transition rule in policy that says when context ABC_t creates files in
directories labeled DEF_T, create them GEH_T.
You can also look ad mkdir -Z.
I suspect this is why Aurelien's %pre script in the awstats
package
failed too.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list