Hi,
I'm having issues with getting files labeled correctly.
First some background:
[proxyuser@lime selinux]$ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
[proxyuser@lime selinux]$ cat /etc/redhat-release Fedora release 14 (Laughlin)
Here the problem: I have setup the following file contexts
[proxyuser@lime selinux]$ sudo semanage fcontext -l | grep aps-base /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp regular file system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular file system_u:object_r:CZwd_exec_t:s0
Relabeling for one of the files succeeds: sudo restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
[proxyuser@lime selinux]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp -rwxr-xr-x. proxyuser proxyuser system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/CZtp
However, relabeling of the other file silently fails: [proxyuser@lime selinux]$ sudo restorecon -F -R -v /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh [proxyuser@lime selinux]$ ls -lZ /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh -rwxrwxr-x. proxyuser proxyuser unconfined_u:object_r:user_home_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
What am I missing?
On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular file system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would need to see your policy to be able to determine that.
Types have properties, For example some types are domain types others file type, executable file type, port types etc. etc.
Type attributes are used to tell selinux what type it is dealing with. It is kind of like grouping/classifying/tagging types. Rules are in place that are specific to various groups of types.
For you to be able to for example relabel a type of a file object, the type with need to be classified a file type. Because there is a rule that states that files can only be labelled with file types.
So if you have not classfied your CZwd_exec_t to be a file type then it may or may not be the cause of this issue.
Hi Dominick, responses inline below.
On 7/26/2011 11:25 AM, Dominick Grift wrote:
On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular file system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would need to see your policy to be able to determine that.
Here is the policy:
policy_module(CZwd,1.0.0)
######################################## # # Declarations #
type CZwd_t; type CZwd_exec_t; application_domain(CZwd_t, CZwd_exec_t) role system_r types CZwd_t;
permissive CZwd_t;
######################################## # # CZwd local policy #
allow CZwd_t self:fifo_file manage_fifo_file_perms; allow CZwd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(CZwd_t)
files_read_etc_files(CZwd_t)
miscfiles_read_localization(CZwd_t)
gen_require(` type unconfined_t; role unconfined_r; ') CZwd_role(unconfined_r, unconfined_t)
Types have properties, For example some types are domain types others file type, executable file type, port types etc. etc.
Type attributes are used to tell selinux what type it is dealing with. It is kind of like grouping/classifying/tagging types. Rules are in place that are specific to various groups of types.
For you to be able to for example relabel a type of a file object, the type with need to be classified a file type. Because there is a rule that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the type.
So if you have not classfied your CZwd_exec_t to be a file type then it may or may not be the cause of this issue.
How do I add the type to the policy? Any idea what other mistakes can cause this behavior.
For what it is worth, I generated the CZwd.* files by copying the files from a previous invocation of sepolgen and replacing all references from the previous file to the new file. It is only for this process that I have the labeling problems. For other processes, I explicitly called sepolgen from scratch.
I've attached the current set of files for CZwd.
Michael
On Tue, 2011-07-26 at 12:17 +0200, Michael Atighetchi wrote:
type CZwd_t; type CZwd_exec_t; application_domain(CZwd_t, CZwd_exec_t) role system_r types CZwd_t;
I see - the policy above doesn't seem to specify a property on the type.
It does. The application_domain() assigns the proper attributes to the second parameter (CZwd_exec_t) So this type is a usable executable file type.
I've attached the current set of files for CZwd.
so the type for the "/home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh" file is declared and a usable application executable type.
We can confirm this:
seinfo -x -tCZwd_exec_t
This should output atleast "application_exec_type"
Maybe the file context specification is not proper, so we should verify this as well:
matchpathcon /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
This should return the expected security context (type CZwd_exec_t) If it does not return the expected file context specification, then there is something wrong with your file context specification.
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
In any case, I reran sepolgen again and renamed the script to be CZwd (instead of runSeed.sh). With that, the files get's labeled properly now:
[proxyuser@lime target]$ ls -lZ CZwd -rwxrwxr-x. proxyuser proxyuser system_u:object_r:CZwd_exec_t:s0 CZwd
Michael
On 7/26/2011 12:17 PM, Michael Atighetchi wrote:
Hi Dominick, responses inline below.
On 7/26/2011 11:25 AM, Dominick Grift wrote:
On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
system_u:object_r:CZtp_exec_t:s0 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular file system_u:object_r:CZwd_exec_t:s0
Maybe you have not declared the CZwd_exec_t type properly. Would need to see your policy to be able to determine that.
Here is the policy:
policy_module(CZwd,1.0.0)
######################################## # # Declarations #
type CZwd_t; type CZwd_exec_t; application_domain(CZwd_t, CZwd_exec_t) role system_r types CZwd_t;
permissive CZwd_t;
######################################## # # CZwd local policy #
allow CZwd_t self:fifo_file manage_fifo_file_perms; allow CZwd_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(CZwd_t)
files_read_etc_files(CZwd_t)
miscfiles_read_localization(CZwd_t)
gen_require(` type unconfined_t; role unconfined_r; ') CZwd_role(unconfined_r, unconfined_t)
Types have properties, For example some types are domain types others file type, executable file type, port types etc. etc.
Type attributes are used to tell selinux what type it is dealing with. It is kind of like grouping/classifying/tagging types. Rules are in place that are specific to various groups of types.
For you to be able to for example relabel a type of a file object, the type with need to be classified a file type. Because there is a rule that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the type.
So if you have not classfied your CZwd_exec_t to be a file type then it may or may not be the cause of this issue.
How do I add the type to the policy? Any idea what other mistakes can cause this behavior.
For what it is worth, I generated the CZwd.* files by copying the files from a previous invocation of sepolgen and replacing all references from the previous file to the new file. It is only for this process that I have the labeling problems. For other processes, I explicitly called sepolgen from scratch.
I've attached the current set of files for CZwd.
Michael
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
Yes sometimes you need to escape dots
the matchpathcon should expose that
On 7/26/2011 12:29 PM, Dominick Grift wrote:
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
Yes sometimes you need to escape dots
the matchpathcon should expose that
Thanks a bunch - I got things working by removing the "." in the filename and rerunning sepolgen on the new file.
Support on this mailing list rocks! Michael
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
On 7/26/2011 12:29 PM, Dominick Grift wrote:
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
Yes sometimes you need to escape dots
the matchpathcon should expose that
Thanks a bunch - I got things working by removing the "." in the filename and rerunning sepolgen on the new file.
Support on this mailing list rocks! Michael
Could you attach the policy that was generated with the . in the file name? Also what version of sepolgen were you using?
Hi Daniel,
I'm using sepolgen from policycoreutils-gui-2.0.85-28.fc14.x86_64.
The policy file that I hand modified (and caused the labeling problems) was attached to the previous email.
Note that sepolgen refuses to generate policies for files that have a "." in them, which seems like a pretty significant restriction.
Here is the trace:
[proxyuser@lime selinux]$ sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Name must be alpha numberic with no spaces.
sepolgen [ -m ] [ -t type ] [ executable | Name ] valid Types:
0 Standard Init Daemon 1 DBUS System Daemon 2 Internet Services Daemon 3 User Application 4 Web Application/Script (CGI) 5 Minimal X Windows User Role 6 Minimal Terminal User Role 7 User Role 8 Admin User Role 10 Root Admin User Role 11 Sandbox [proxyuser@lime selinux]$
So long Michael
On 7/26/2011 3:04 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
On 7/26/2011 12:29 PM, Dominick Grift wrote:
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
Yes sometimes you need to escape dots
the matchpathcon should expose that
Thanks a bunch - I got things working by removing the "." in the filename and rerunning sepolgen on the new file.
Support on this mailing list rocks! Michael
Could you attach the policy that was generated with the . in the file name? Also what version of sepolgen were you using? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4uu3EACgkQrlYvE4MpobPdIQCg37LrYJdCJa6mlalIINwXRMQg krwAmwa0hIugnwbXksiDThEvDG6CMLQG =Hyxr
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/26/2011 09:53 AM, Michael Atighetchi wrote:
Hi Daniel,
I'm using sepolgen from policycoreutils-gui-2.0.85-28.fc14.x86_64.
The policy file that I hand modified (and caused the labeling problems) was attached to the previous email.
Note that sepolgen refuses to generate policies for files that have a "." in them, which seems like a pretty significant restriction.
Here is the trace:
[proxyuser@lime selinux]$ sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Name must be alpha numberic with no spaces.
sepolgen [ -m ] [ -t type ] [ executable | Name ] valid Types:
0 Standard Init Daemon 1 DBUS System Daemon 2 Internet Services Daemon 3 User Application 4 Web Application/Script (CGI) 5 Minimal X Windows User Role 6 Minimal Terminal User Role 7 User Role 8 Admin User Role 10 Root Admin User Role 11 Sandbox [proxyuser@lime selinux]$
So long Michael
On 7/26/2011 3:04 PM, Daniel J Walsh wrote: On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
On 7/26/2011 12:29 PM, Dominick Grift wrote:
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote:
One thing I realized using sepolgen is that it reject filenames that have "." in them. In the example below, I was trying to label "runSeed.sh", so maybe the fact that it has a "." in it broke the labeling ?
Yes sometimes you need to escape dots
the matchpathcon should expose that
Thanks a bunch - I got things working by removing the "." in the filename and rerunning sepolgen on the new file.
Support on this mailing list rocks! Michael
Could you attach the policy that was generated with the . in the file name? Also what version of sepolgen were you using?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Try
sepolgen -n runseed -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Usage command should mention this field
I will add a patch to output the following
# sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Name must be alpha numberic with no spaces. Consider using option "-n MODULENAME"
sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ] valid Types:
0 Standard Init Daemon 1 DBUS System Daemon 2 Internet Services Daemon 3 User Application 4 Web Application/Script (CGI) 5 Minimal X Windows User Role 6 Minimal Terminal User Role 7 User Role 8 Admin User Role 10 Root Admin User Role 11 Sandbox
On 7/26/2011 4:05 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/26/2011 09:53 AM, Michael Atighetchi wrote:
Hi Daniel,
I'm using sepolgen from policycoreutils-gui-2.0.85-28.fc14.x86_64.
The policy file that I hand modified (and caused the labeling problems) was attached to the previous email.
Note that sepolgen refuses to generate policies for files that have a "." in them, which seems like a pretty significant restriction.
Here is the trace:
[proxyuser@lime selinux]$ sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Name must be alpha numberic with no spaces.
sepolgen [ -m ] [ -t type ] [ executable | Name ] valid Types:
0 Standard Init Daemon 1 DBUS System Daemon 2 Internet Services Daemon 3 User Application 4 Web Application/Script (CGI) 5 Minimal X Windows User Role 6 Minimal Terminal User Role 7 User Role 8 Admin User Role 10 Root Admin User Role 11 Sandbox [proxyuser@lime selinux]$
So long Michael
On 7/26/2011 3:04 PM, Daniel J Walsh wrote: On 07/26/2011 06:38 AM, Michael Atighetchi wrote:
On 7/26/2011 12:29 PM, Dominick Grift wrote:
On Tue, 2011-07-26 at 12:28 +0200, Michael Atighetchi wrote: > One thing I realized using sepolgen is that it reject > filenames that have "." in them. In the example below, I > was trying to label "runSeed.sh", so maybe the fact that it > has a "." in it broke the labeling ? Yes sometimes you need to escape dots
the matchpathcon should expose that
Thanks a bunch - I got things working by removing the "." in the filename and rerunning sepolgen on the new file.
Support on this mailing list rocks! Michael
Could you attach the policy that was generated with the . in the file name? Also what version of sepolgen were you using?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Try
sepolgen -n runseed -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Usage command should mention this field
I will add a patch to output the following
# sepolgen -t 3 /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh
Name must be alpha numberic with no spaces. Consider using option "-n MODULENAME"
sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ] valid Types:
0 Standard Init Daemon 1 DBUS System Daemon 2 Internet Services Daemon 3 User Application 4 Web Application/Script (CGI) 5 Minimal X Windows User Role 6 Minimal Terminal User Role 7 User Role 8 Admin User Role 10 Root Admin User Role 11 Sandbox
Got it - thanks.
Michael
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4uyY0ACgkQrlYvE4MpobMpLACeLHFoFlli+cqlCzR8B+q6x8Et s7IAoMIpRLiPNyoktg1yWe4FMW6GJ8Jn =eOTQ
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Michael Atighetchi