touch & how labels are created

Dominick Grift domg472 at gmail.com
Sat Dec 4 20:41:39 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2010 09:24 PM, Jorge Fábregas wrote:
> On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote:
>> cd /etc
>> rm hosts
>> touch hosts
>>
>> ls -lZ /etc/hosts
>> (it shows etc_t as its type)
>>
>> If I do a restorecon of the hosts file I'll get the correct net_conf_t for
>> the  file.
> 
> Ok, I kept searching... Is it because, in order for the touch command (bin_t) 
> to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing 
> this should have existed?  If there's no rule, the default is to use the label 
> of the parent directory?
> 

Exactly.

so lets assume your domain type shows unconfined_t if you id -Z. You run
touch which is a helper app with type bin_t. That is a type for
executable file that are (usually) not an entry point to any domain. So
you run touch in the unconfined_u domain.

So you could define a file type transition:

if unconfined_t creates a file in directories with type etc_t, then
transition from type etc_t to some specified type (net_conf_t in your
example)

filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)

Ofcourse then all files that you create in etc_t directories get created
with that net_conf_t type. Not what you want.

That is one reason to do a domain transition.

For example we label touch with a new defined type. we make this type a
core command executable type of lets say touch_exec_t. Now we could
define a domain transition:

if unconfined_t runs a file with type touch_exec_t, then transition from
the type unconfined_t to some specified type (for example touch_t).

Now you can specify a type transition for touch_t creating a file in
etc_t directories:

filetrans_pattern(touch_t, etc_t, net_conf_t, file)

Now when unconfined_t creates a file in etc_t directories, the file will
inherit the type of the parent directory (etc_t)

But if touch_t creates a file in etc_t directories, the type of the file
will transition from etc_t to net_conf_t.

Type transition is one of the most important concepts on type
enforcement. The main two types of transitions are as shown above:

domain type transition
file type transition

A domain type is a type of a process (subject)
A file type is a type of a file (object)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz6p4MACgkQMlxVo39jgT8RdgCgijA9qlOfODsig5HWzOOoF/gL
i9UAoNFoFmtABpeMQ8bpseYc8CA2ORxD
=QVSO
-----END PGP SIGNATURE-----

More information about the selinux mailing list