semanage / file_contexts.local
Paul Howarth
paul at city-fan.org
Wed Mar 29 13:27:07 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-03-29 at 13:39 +0100, Paul Howarth wrote:
>> On my FC4 system, I created a file
>> /etc/selinux/targeted/contexts/files/file_contexts.local that contained
>> the following lines:
>>
>> /srv/backup(/.*)? system_u:object_r:ftpd_anon_rw_t
>> /srv/softlib(/.*)? system_u:object_r:ftpd_anon_rw_t
>>
>> This was to ensure that that files created in these areas got the right
>> context, and that it would survive a relabel. Having since learned about
>> customizable types, I probably didn't need to do that in this case, but
>> the principle applies anyway.
>>
>> My understanding is that in FC5, the equivalent thing to do for this
>> would be to use semanage to add additional fcontext objects. Is that
>> right (I think the semanage manpage could do with an example or two btw,
>> hint, hint)?
>
> Funny you should ask. See
> http://marc.theaimsgroup.com/?l=selinux&m=114358806507499&w=2
Ah, good :-)
>> My first question is: if I use semanage, is there a convenient way to
>> check, on a running system, which objects are there as part of the base
>> policy and which have been added later, like a file context equivalent
>> of "semodule -l"?
>
> Hmm...doesn't look like semanage presently has an option that invokes
> just the xxx_list_local() interface of libsemanage versus the xxx_list()
> interface. Seems like a good idea.
>
>> My second question is: I have lots of log messages like this:
>>
>> Mar 26 04:24:39 badby kernel: inode_doinit_with_dentry:
>> context_to_sid(system_u:object_r:ftpd_anon_rw_t) returned 22 for
>> dev=sdb6 ino=96769
>
> Suggests that the type is no longer defined, which seems a bit
> surprising. Usually we add a type alias to keep it valid across
> updates.
>
>> /srv/backup(/.*)? system_u:object_r:public_content_rw_t:s0
>> /srv/softlib(/.*)? system_u:object_r:public_content_rw_t:s0
>>
>> or even deleting it entirely and doing the equivalent with semanage.
>> When I do one of these things, when will it take effect? Will I need to
>> reboot, or rebuild policy somehow?
>
> file_contexts.local will still be read by libselinux (matchpathcon), so
> it can still be used, but using semanage is likely the better way
> forward. Once you've run the semanage command, it should rebuild and
> push out an updated file_contexts file with your additions included, and
> then any subsequent runs of restorecon/setfiles/... will make use of
> those definitions.
Right, I moved the existing
/etc/selinux/targeted/contexts/files/file_contexts.local out of the way
and did:
# semanage fcontext -a -t public_content_rw_t '/srv/backup(/.*)?'
# semanage fcontext -a -t public_content_rw_t '/srv/softlib(/.*)?'
This then created a new
/etc/selinux/targeted/contexts/files/file_contexts.local, which contained:
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/srv/backup(/.*)? system_u:object_r:public_content_rw_t:s0
/srv/softlib(/.*)? system_u:object_r:public_content_rw_t:s0
So it seems that I can identify local changes by looking in the file
(pretty much as before really, except that the file is created using
semanage rather than vi).
One last thing: is it possible to add multiple objects in a single
semanage call? I ask because each one takes a while to run (to do the
rebuild), and I can imagine that in an RPM package where there might be
lots of calls to semanage being made in a %post scriptlet, it would be
better to add all the objects at once and only do a single rebuild.
Paul.
More information about the selinux
mailing list