On Sat, Mar 13, 2021 at 7:24 PM SZIGETVÁRI János <jszigetvari(a)gmail.com>
wrote:
Dear Members,
I am maintaining a SELinux policy module for an application (A) and one of
its submodules (B).
By now I have reached a point where all the rules seem to be in place, and
both A and B processes transition to their respective process labels, and
have their associated file types, the related permissions and file paths
set up.
My problem is that even though a process of B is running with the B
process label, it is supposed to create some files and directories of its
own under a directory that has a label related to A. The B process has the
necessary rights to create those directories and files underneath the
directory with the label belonging to A. The problem is that the files
created by the process B will not be created with the file label belonging
to B, but seem to inherit the label from the parent directory, that has a
label belonging to A. This happens in spite of having the file contexts and
paths set up correctly in the module's fc rules.
So if I run restorecon on the files that were just created (by B, but have
a label belonging to A), it will (re)set them to the file labels I intended
them to have originally.
How can I overcome this problem? This behavior causes an ugly logical flaw
in the logical design of my SELinux modules.
Hi,
If I understand correctly, you need to have files with different context
coexist in one directory.
New filesystem objects inherit the context from their directory by default,
but a different context can be set in the policy, too, using file
transitions. You have 2 options, change the context depending on the
creating process, or based on the filename.
Refer e. g. to
https://danwalsh.livejournal.com/43170.html
for more information or to existing examples in the policy and let me know
if you have any further questions.
Thanks in advance for any help!
Best Regards,
János Szigetvári
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<
https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn:
linkedin.com/in/janosszigetvari
E-mail: janos(a)szigetvari.com, jszigetvari(a)gmail.com
Web:
janos.szigetvari.com
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team