touch & how labels are created

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2010 09:41 PM, Dominick Grift wrote:
> On 12/04/2010 09:24 PM, Jorge Fábregas wrote:
>> On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote:
>>> cd /etc
>>> rm hosts
>>> touch hosts
>>>
>>> ls -lZ /etc/hosts
>>> (it shows etc_t as its type)
>>>
>>> If I do a restorecon of the hosts file I'll get the correct net_conf_t for
>>> the  file.
> 
>> Ok, I kept searching... Is it because, in order for the touch command (bin_t) 
>> to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing 
>> this should have existed?  If there's no rule, the default is to use the label 
>> of the parent directory?

Made a few typo's and forgot to add some info:

> 
> Exactly.
> 
> so lets assume your domain type shows unconfined_t if you id -Z. You run
> touch which is a helper app with type bin_t. That is a type for
> executable file that are (usually) not an entry point to any domain. So
> you run touch in the unconfined_u domain.

unconfined_t instead of unconfined_u obviously.

The unconfined_u field in a security context type is a selinux identity.
In Fedora this field is only used to map compartment, sensitivities and
roles to linux logins.

> So you could define a file type transition:
> 
> if unconfined_t creates a file in directories with type etc_t, then
> transition from type etc_t to some specified type (net_conf_t in your
> example)
> 
> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
> 
> Ofcourse then all files that you create in etc_t directories get created
> with that net_conf_t type. Not what you want.
> 
> That is one reason to do a domain transition.
> 
> For example we label touch with a new defined type. we make this type a
> core command executable type of lets say touch_exec_t. Now we could
> define a domain transition:


Such a domain transition would look like this:

domtrans_pattern(unconfined_t, touch_exec_t, touch_t)

That is a simple example. With user applications like touch in our
example is, i prefer to use role prefixes to let selinux know who runs
touch. So that "touch policy" can be defined for particular roles.

e.g. "touch policy" for the user_r role differs from "touch policy" for
unconfined_r:

domtrans_pattern(unconfined_t, touch_exec_t, unconfined_touch_t)

vs.

domtrans_pattern(user_t, touch_exec_t, user_touch_t)

Then you can do:

filetrans_pattern(unconfined_touch_t, etc_t, net_conf_t, file)

vs.

filetrans_pattern(user_touch_t, etc_t, etc_runtime_t, file

e.g. when unconfined_t runs touch_exec_t and domain transitions to
unconfined_touch_t, then unconfined_touch_t creates files in etc_t
directories with a file transition to net_conf_t, whereas user_touch_t
creates files in etc_t directories with a file transition to etc_runtime_t.

> if unconfined_t runs a file with type touch_exec_t, then transition from
> the type unconfined_t to some specified type (for example touch_t).
> 
> Now you can specify a type transition for touch_t creating a file in
> etc_t directories:
> 
> filetrans_pattern(touch_t, etc_t, net_conf_t, file)
> 
> Now when unconfined_t creates a file in etc_t directories, the file will
> inherit the type of the parent directory (etc_t)
> 
> But if touch_t creates a file in etc_t directories, the type of the file
> will transition from etc_t to net_conf_t.
> 
> Type transition is one of the most important concepts on type
> enforcement. The main two types of transitions are as shown above:
> 
> domain type transition
> file type transition
> 
> A domain type is a type of a process (subject)
> A file type is a type of a file (object)
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz6qyYACgkQMlxVo39jgT9NzgCeIiJ3RS9A+nLtlWCSfCy5fKud
eo0An3yfaHY/azFt7f6GrUlP2UDDJhYT
=R4Mx
-----END PGP SIGNATURE-----