touch & how labels are created
Jorge Fábregas
jorge.fabregas at gmail.com
Sat Dec 4 21:03:12 UTC 2010
On Saturday 04 December 2010 16:57:10 Dominick Grift wrote:
> Such a domain transition would look like this:
>
> domtrans_pattern(unconfined_t, touch_exec_t, touch_t)
>
> That is a simple example. With user applications like touch in our
> example is, i prefer to use role prefixes to let selinux know who runs
> touch. So that "touch policy" can be defined for particular roles.
>
> e.g. "touch policy" for the user_r role differs from "touch policy" for
> unconfined_r:
>
> domtrans_pattern(unconfined_t, touch_exec_t, unconfined_touch_t)
>
> vs.
>
> domtrans_pattern(user_t, touch_exec_t, user_touch_t)
>
> Then you can do:
>
> filetrans_pattern(unconfined_touch_t, etc_t, net_conf_t, file)
>
> vs.
>
> filetrans_pattern(user_touch_t, etc_t, etc_runtime_t, file
>
> e.g. when unconfined_t runs touch_exec_t and domain transitions to
> unconfined_touch_t, then unconfined_touch_t creates files in etc_t
> directories with a file transition to net_conf_t, whereas user_touch_t
> creates files in etc_t directories with a file transition to etc_runtime_t.
Thanks Dominick for the excellent explanation. I've been using SELinux for a
while but never gave transitions too much thought. Your explanation and
examples are very clear and very helpful - very much appreciated!
All the best,
Jorge
More information about the selinux
mailing list