On 7/11/19 10:44 AM, Ed Greshko wrote: > Hi, > > I'm not well versed in selinux and I rarely have run into issues with it.  > > However, one point that I thought was true doesn't seem to be true.  I was under the > impression that when a file is created and the context for it is defined in the policy it > would acquire it. > > For example, > > [egreshko@meimei ~]$ pwd > /home/egreshko > > [egreshko@meimei ~]$ touch .fetchmailrc > [egreshko@meimei ~]$ ls -Z .fetchmailrc > unconfined_u:object_r:user_home_t:s0 .fetchmailrc > > [egreshko@meimei ~]$ restorecon .fetchmailrc > [egreshko@meimei ~]$ ls -Z .fetchmailrc > unconfined_u:object_r:fetchmail_home_t:s0 .fetchmailrc > > Shouldn't the context have been correct when the file was created?  How is an average user > to know they may need to add the additional step. > File label with full path should be defined in policy: emanage fcontext -l | grep fetchmailrc /etc/fetchmailrc regular file system_u:object_r:fetchmail_etc_t:s0 /home/[^/]+/\.fetchmailrc regular file unconfined_u:object_r:fetchmail_home_t:s0 /home/lvrabec/\.fetchmailrc regular file staff_u:object_r:fetchmail_home_t:s0 /root/\.fetchmailrc regular file system_u:object_r:fetchmail_home_t:s0 So restorecon did its job and restore it correctly. But you created that file as unconfined_t. (type: "id -Z" in terminal) And there is no FILE transition rule which should say what should be the newly created file label, so it's inherits label from directory, which is user_home_t.

On Fri, Jul 12, 2019 at 4:42 PM Ed Greshko <ed.greshko(a)greshko.com&gt; wrote: > So, kindly indulge me, I have a few of follow up questions. Aside > from my needing to look for information on what a "FILE transition > rule" is.... > > Looking at this sequence: > > [maria@meimei .local]$ ls -Zd share > unconfined_u:object_r:data_home_t:s0 share > [maria@meimei .local]$ cd share > [maria@meimei share]$ ls -Z certificates > ls: cannot access 'certificates': No such file or directory > [maria@meimei share]$ mkdir certificates > [maria@meimei share]$ ls -Zd certificates/ > unconfined_u:object_r:home_cert_t:s0 certificates/ > > 1. Tells me a "FILE transition rule" exists, yes? Yes, because the file you created did not inherit the data_home_t label from the parent directory. (Some special applications that have specific SELinux knowledge can request that a file be created with a specific context, but "mkdir" does not do this.) > 2. How to list existing "FILE transition rules"? $ sesearch --type_trans --source unconfined_t --default home_cert_t type_transition unconfined_t config_home_t:dir home_cert_t "certificates"; type_transition unconfined_t data_home_t:dir home_cert_t "certificates"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".cert"; type_transition unconfined_t user_home_dir_t:dir home_cert_t ".pki"; type_transition unconfined_t user_home_dir_t:dir home_cert_t "certificates"; > 3. Wouldn't it be advisable the files such as "rc" files which a > user may create in their home directory and are well known > standard programs have "FILE transition rules" already in > existence? Contexts for many well-known dotfiles do have them. But fetchmail_home_t doesn't, at least in recent Fedora SELinux policy: $ sesearch --type_trans --default fetchmail_home_t; echo END END Perhaps file an upstream enhancement request with your distro to add the missing file transition rules for fetchmail?