On 7/13/19 7:16 AM, James Ralston wrote:
On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko
> So, kindly indulge me, I have a few of follow up questions. Aside
> from my needing to look for information on what a "FILE transition
> rule" is....
> Looking at this sequence:
> [maria@meimei .local]$ ls -Zd share
> unconfined_u:object_r:data_home_t:s0 share
> [maria@meimei .local]$ cd share
> [maria@meimei share]$ ls -Z certificates
> ls: cannot access 'certificates': No such file or directory
> [maria@meimei share]$ mkdir certificates
> [maria@meimei share]$ ls -Zd certificates/
> unconfined_u:object_r:home_cert_t:s0 certificates/
> 1. Tells me a "FILE transition rule" exists, yes?
Yes, because the file you created did not inherit the data_home_t
label from the parent directory.
(Some special applications that have specific SELinux knowledge can
request that a file be created with a specific context, but "mkdir"
does not do this.)
> 2. How to list existing "FILE transition rules"?
$ sesearch --type_trans --source unconfined_t --default home_cert_t
type_transition unconfined_t config_home_t:dir home_cert_t "certificates";
type_transition unconfined_t data_home_t:dir home_cert_t "certificates";
type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert";
type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki";
type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates";
> 3. Wouldn't it be advisable the files such as "rc" files which a
> user may create in their home directory and are well known
> standard programs have "FILE transition rules" already in
Contexts for many well-known dotfiles do have them. But
fetchmail_home_t doesn't, at least in recent Fedora SELinux policy:
$ sesearch --type_trans --default fetchmail_home_t; echo END
Perhaps file an upstream enhancement request with your distro to add
the missing file transition rules for fetchmail?
Thanks Much! Exactly what I needed to know.
Right: I dislike the default color scheme Wrong: What idiot picked the default color