touch & how labels are created
Dominick Grift
domg472 at gmail.com
Sun Dec 5 18:46:49 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2010 04:44 PM, Jorge Fábregas wrote:
> On Saturday 04 December 2010 16:41:39 Dominick Grift wrote:
>> So you could define a file type transition:
>>
>> if unconfined_t creates a file in directories with type etc_t, then
>> transition from type etc_t to some specified type (net_conf_t in your
>> example)
>>
>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
>
> Hello again!
>
> I would like to try this out (files created with unconfined_t, under /etc/, to
> have a label of net_conf_t). My only experience with inserting custom-policy
> modules is with the "allow rules" suggested by audit2allow. Other than that I
> have never done anything else policy-wise so bear with me :)
>
> I tried this:
You should remove the ; on the filetrans line
mkdir mytest; cd mytest;
echo "policy_module(mytest, 1.0.0)" > mytest.te;
echo "gen_require(\` type unconfined_t, etc_t, net_conf_t; ')" >> mytest.te;
echo"# allow unconfined_t to create files with type net_conf_t in etc_t
directories. So unconfined_t should be able to traverse etc_t
directories (search) and to add entries to the parent etc_t directories.
this is all provided in the manage_files_pattern" >> mytest.te;
echo "manage_files_pattern(unconfined_t, etc_t, net_conf_t)" >> mytest.te;
echo "Now we must tell selinux to transition the type of the file
created by unconfined_t in etc_t directories from the default etc_t type
to the specified net_conf_t type." >> mytest.te;
echo "filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)" >>
mytest.te;
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
touch /etc/test
ls -alZ /etc/test
rm /etc/test
sudo semodule -r mytest.pp
> ------------------------------ cut here ---------------------------
>
> module localtran 1.0;
> require {
> type unconfined_t;
> type etc_t;
> type net_conf_t;
> class file {write};
> }
>
> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file);
>
> ------------------------------ cut here ---------------------------
>
> and then tried "checmodule -M -m localtran.te -o localtran.pp" but I get
> syntax errors with token "filetrans_pattern". I did some googling and noticed
> the use of "files_type" and "manage_files" before filetrans_pattern (tried it but
> didn't work). I'm not sure if I need those and also the class directive.
>
> I would like to try this first and eventually get more sophisticated with your
> other suggestions.. Of course, this is just for learning purposes (not that I
> need unconfined_t to create files in /etc with net_conf_t ).
>
> Regards,
> Jorge
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz73hkACgkQMlxVo39jgT+nyACgogEvZdNgiBaHpCI+urhpbOl1
qL8An2bq2j4YhaEYu9gHylUSE/XBQvz3
=h7Ps
-----END PGP SIGNATURE-----
More information about the selinux
mailing list