One thing I realized using sepolgen is that it reject filenames that have "." in them.
In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?

In any case, I reran sepolgen again and renamed the script to be CZwd (instead of runSeed.sh).
With that, the files get's labeled properly now:

[proxyuser@lime target]$ ls -lZ CZwd
-rwxrwxr-x. proxyuser proxyuser system_u:object_r:CZwd_exec_t:s0 CZwd


Michael


On 7/26/2011 12:17 PM, Michael Atighetchi wrote:
Hi Dominick,
responses inline below.

On 7/26/2011 11:25 AM, Dominick Grift wrote:

On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0
/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
file       system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would need to
see your policy to be able to determine that.
Here is the policy:

policy_module(CZwd,1.0.0)

########################################
#
# Declarations
#

type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;

permissive CZwd_t;

########################################
#
# CZwd local policy
#

allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(CZwd_t)

files_read_etc_files(CZwd_t)

miscfiles_read_localization(CZwd_t)

gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)



Types have properties, For example some types are domain types others
file type, executable file type, port types etc. etc.

Type attributes are used to tell selinux what type it is dealing with.
It is kind of like grouping/classifying/tagging types. Rules are in
place that are specific to various groups of types.

For you to be able to for example relabel a type of a file object, the
type with need to be classified a file type. Because there is a rule
that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the type.
So if you have not classfied your CZwd_exec_t to be a file type then it
may or may not be the cause of this issue.

How do I add the type to the policy? Any idea what other mistakes can cause this behavior.

For what it is worth, I generated the CZwd.* files by copying the files from a previous invocation of sepolgen and
replacing all references from the previous file to the new file. It is only for this process that I have the labeling problems.
For other processes, I explicitly called sepolgen from scratch.

I've attached the current set of files for CZwd.

Michael 




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


-- 
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com