touch & how labels are created
Dominick Grift
domg472 at gmail.com
Sat Dec 4 20:57:10 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/04/2010 09:41 PM, Dominick Grift wrote:
> On 12/04/2010 09:24 PM, Jorge Fábregas wrote:
>> On Saturday 04 December 2010 16:03:30 Jorge Fábregas wrote:
>>> cd /etc
>>> rm hosts
>>> touch hosts
>>>
>>> ls -lZ /etc/hosts
>>> (it shows etc_t as its type)
>>>
>>> If I do a restorecon of the hosts file I'll get the correct net_conf_t for
>>> the file.
>
>> Ok, I kept searching... Is it because, in order for the touch command (bin_t)
>> to create a file in /etc/ labeled as net_conf_t, a file-transition rule allowing
>> this should have existed? If there's no rule, the default is to use the label
>> of the parent directory?
Made a few typo's and forgot to add some info:
>
> Exactly.
>
> so lets assume your domain type shows unconfined_t if you id -Z. You run
> touch which is a helper app with type bin_t. That is a type for
> executable file that are (usually) not an entry point to any domain. So
> you run touch in the unconfined_u domain.
unconfined_t instead of unconfined_u obviously.
The unconfined_u field in a security context type is a selinux identity.
In Fedora this field is only used to map compartment, sensitivities and
roles to linux logins.
> So you could define a file type transition:
>
> if unconfined_t creates a file in directories with type etc_t, then
> transition from type etc_t to some specified type (net_conf_t in your
> example)
>
> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
>
> Ofcourse then all files that you create in etc_t directories get created
> with that net_conf_t type. Not what you want.
>
> That is one reason to do a domain transition.
>
> For example we label touch with a new defined type. we make this type a
> core command executable type of lets say touch_exec_t. Now we could
> define a domain transition:
Such a domain transition would look like this:
domtrans_pattern(unconfined_t, touch_exec_t, touch_t)
That is a simple example. With user applications like touch in our
example is, i prefer to use role prefixes to let selinux know who runs
touch. So that "touch policy" can be defined for particular roles.
e.g. "touch policy" for the user_r role differs from "touch policy" for
unconfined_r:
domtrans_pattern(unconfined_t, touch_exec_t, unconfined_touch_t)
vs.
domtrans_pattern(user_t, touch_exec_t, user_touch_t)
Then you can do:
filetrans_pattern(unconfined_touch_t, etc_t, net_conf_t, file)
vs.
filetrans_pattern(user_touch_t, etc_t, etc_runtime_t, file
e.g. when unconfined_t runs touch_exec_t and domain transitions to
unconfined_touch_t, then unconfined_touch_t creates files in etc_t
directories with a file transition to net_conf_t, whereas user_touch_t
creates files in etc_t directories with a file transition to etc_runtime_t.
> if unconfined_t runs a file with type touch_exec_t, then transition from
> the type unconfined_t to some specified type (for example touch_t).
>
> Now you can specify a type transition for touch_t creating a file in
> etc_t directories:
>
> filetrans_pattern(touch_t, etc_t, net_conf_t, file)
>
> Now when unconfined_t creates a file in etc_t directories, the file will
> inherit the type of the parent directory (etc_t)
>
> But if touch_t creates a file in etc_t directories, the type of the file
> will transition from etc_t to net_conf_t.
>
> Type transition is one of the most important concepts on type
> enforcement. The main two types of transitions are as shown above:
>
> domain type transition
> file type transition
>
> A domain type is a type of a process (subject)
> A file type is a type of a file (object)
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz6qyYACgkQMlxVo39jgT9NzgCeIiJ3RS9A+nLtlWCSfCy5fKud
eo0An3yfaHY/azFt7f6GrUlP2UDDJhYT
=R4Mx
-----END PGP SIGNATURE-----
More information about the selinux
mailing list