Finally I found the problem: The .fc file was really still using the ubuntu directory
structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different
from the locations /usr/bin/ and /usr/lib/virtualbox where I found the binaries in
question. --> blind me! :-(
Thanks a lot for he help!
-----Ursprüngliche Nachricht-----
Von: selinux-bounces(a)lists.fedoraproject.org
[mailto:selinux-bounces@lists.fedoraproject.org] Im Auftrag von
selinux->request(a)lists.fedoraproject.org
Gesendet: Dienstag, 22. Februar 2011 13:00
An: selinux(a)lists.fedoraproject.org
Betreff: selinux Digest, Vol 84, Issue 10
4. Re: need to superseed default file context for virtualbox
files but no method works (Dominick Grift)
Message: 4
Date: Mon, 21 Feb 2011 16:22:42 +0100
From: Dominick Grift <domg472(a)gmail.com>
Subject: Re: need to superseed default file context for virtualbox
files but no method works
To: selinux(a)lists.fedoraproject.org
Message-ID: <4D628342.8070102(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
> Hello All
>
> I am working on Fedora 13 and VirtualBox 3.2
>
> Currently I try to apply a selinux module that has been created with
> ubuntu to Fedora 13. Because I believe I understand what it should do I
> just tried to make it run under F-13.
> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
>
> After making the vbox.pp I can load it with "semodule -I vbox.pp" and
> the module shows up in semodule -l correctly.
> The motivation to change these file-contexts is to prepare for correct
> type-transition rules so they match the defined rules.
>
> Unfortunately the file-context is never set as needed and as described
> in the vbox.fc.
>
> When I check .../file_contexts the correct statements are included but
> they happen to appear later than something that was there before... (or
> is there if the module is removed):
> # matchpathcon /usr/lib/virtualbox/
> /usr/lib/virtualbox system_u:object_r:lib_t:s0
> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
> /usr/lib/virtualbox <<none>>
>
> Next I tried to do it with semanage fcontext -t
> [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t
> /usr/lib/virtualbox/VboxManage
> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage
> -rwxr-xr-x. root root system_u:object_r:lib_t:s0
> /usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file context specification.
You have to restore the context after that to actually apply the
specified file context.
ANDREAS: OK The problem is that something supersedes my module!
ANDREAS:The restorecon does nothing first...
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# chcon -t vbox_vbox_exec_t /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS:restorecon reset /usr/lib/virtualbox/VBoxSDL context
system_u:object_r:vbox_vbox_exec_t:s0->system_u:object_r:lib_t:s0
ANDREAS: [~]#
ANDREAS: --->> Finally I found the problem: The .fc file was really still using the
ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that
this was different from /usr/bin/ and /usr/lib/virtualbox where I found the binaries in
question. --> blind me! :-(
Thanks a lot for the help!
> I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
> What is the problem? My understanding of what should happen might be
> wrong...
>
> Thanks for your answers.
>
> Andreas
>
> ---
> Conftents of vbox.fc
> /dev/vboxdrv
> gen_context(system_u:object_r:vbox_run_t,s0)
> /dev/vboxnetctl
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/(.*)
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/VBoxManage --
> gen_context(system_u:object_r:vbox_manage_exec_t,s0)
> /usr/lib/virtualbox/VBoxXPCOMIPCD --
> gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
> /usr/lib/virtualbox/VirtualBox --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSDL --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSVC --
> gen_context(system_u:object_r:vbox_svc_exec_t,s0)
> HOME_DIR/.VirtualBox(/.*)?
> gen_context(system_u:object_r:vbox_run_t,s0)
These are specified file contexts. After loading these, you may need to
apply them by running restorecon on each of the paths