Hi people,
i have the following policy version installed selinux-policy-3.3.1-107.fc9.noarch selinux-policy-devel-3.3.1-107.fc9.noarch selinux-policy-targeted-3.3.1-107.fc9.noarch
I create an Selinux policy and generated the following filecontexts
[root@MALTA konsu]# semanage fcontext -l | grep yule /etc/init.d/yule regular file system_u:object_r:yule_script_exec_t:s0 /var/run/yule.pid regular file system_u:object_r:yule_var_run_t:s0 /var/log/yule(/.*)? regular file system_u:object_r:yule_log_t:s0 /var/lib/yule(/.*)? regular file system_u:object_r:yule_var_lib_t:s0 /etc/yulerc regular file system_u:object_r:yule_config_t:s0 /usr/local/sbin/yule regular file system_u:object_r:yule_exec_t:s0
Allt he files seems to become labelled normally as expected except /etc/init.d/yule
[root@MALTA konsu]# restorecon -R -v /etc/init.d/yule [root@MALTA konsu]# ls -lrtZ /etc/init.d/yule -rwx------ root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule
I cannot get rid of initrc_exec_t. Although my script is still confined correctly, I would like to label this file normally, is there a reason why restorecon fails ?
many thanks konrad
fedora-selinux-list
On Mon, Dec 01, 2008 at 23:47:04 +0100, Konrad Azzopardi konrad.azzopardi@gmail.com wrote:
I cannot get rid of initrc_exec_t. Although my script is still confined correctly, I would like to label this file normally, is there a reason why restorecon fails ?
My guess would be that the last matching rule for /etc/init.d/yule is not the one you have shown. As far as I can tell the management of rules for restorecon is not complete as there isn't any easy way to order the rules. For add on rules you can delete existing ones and re-add them to put them at the end of the list. That is a pain.
I don't think a list of re's matching complete paths that is order dependent is the best way to solve this problem. I think it would be better to have something that matched the tree structure of the file system.
Believe it or not, a reboot fixed it, and this is not windows :)
On Tue, Dec 2, 2008 at 12:03 AM, Bruno Wolff III bruno@wolff.to wrote:
On Mon, Dec 01, 2008 at 23:47:04 +0100, Konrad Azzopardi konrad.azzopardi@gmail.com wrote:
I cannot get rid of initrc_exec_t. Although my script is still confined correctly, I would like to label this file normally, is there a reason why restorecon fails ?
My guess would be that the last matching rule for /etc/init.d/yule is not the one you have shown. As far as I can tell the management of rules for restorecon is not complete as there isn't any easy way to order the rules. For add on rules you can delete existing ones and re-add them to put them at the end of the list. That is a pain.
I don't think a list of re's matching complete paths that is order dependent is the best way to solve this problem. I think it would be better to have something that matched the tree structure of the file system.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Konrad Azzopardi wrote:
Hi people,
i have the following policy version installed selinux-policy-3.3.1-107.fc9.noarch selinux-policy-devel-3.3.1-107.fc9.noarch selinux-policy-targeted-3.3.1-107.fc9.noarch
I create an Selinux policy and generated the following filecontexts
[root@MALTA konsu]# semanage fcontext -l | grep yule /etc/init.d/yule regular file system_u:object_r:yule_script_exec_t:s0 /var/run/yule.pid regular file system_u:object_r:yule_var_run_t:s0 /var/log/yule(/.*)? regular file system_u:object_r:yule_log_t:s0 /var/lib/yule(/.*)? regular file system_u:object_r:yule_var_lib_t:s0 /etc/yulerc regular file system_u:object_r:yule_config_t:s0 /usr/local/sbin/yule regular file system_u:object_r:yule_exec_t:s0
Allt he files seems to become labelled normally as expected except /etc/init.d/yule
[root@MALTA konsu]# restorecon -R -v /etc/init.d/yule [root@MALTA konsu]# ls -lrtZ /etc/init.d/yule -rwx------ root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule
I cannot get rid of initrc_exec_t. Although my script is still confined correctly, I would like to label this file normally, is there a reason why restorecon fails ?
many thanks konrad
fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Make sure you escape the "."s The regular expression matching does not always work as expected.
/etc/init.d/yule regular file system_u:object_r:yule_script_exec_t:s0
selinux@lists.fedoraproject.org