touch & how labels are created

Dominick Grift domg472 at gmail.com
Sun Dec 5 19:08:42 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 07:46 PM, Dominick Grift wrote:
> On 12/05/2010 04:44 PM, Jorge Fábregas wrote:
>> On Saturday 04 December 2010 16:41:39 Dominick Grift wrote:
>>> So you could define a file type transition:
>>>
>>> if unconfined_t creates a file in directories with type etc_t, then
>>> transition from type etc_t to some specified type (net_conf_t in your
>>> example)
>>>
>>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
> 
>> Hello again!
> 
>> I would like to try this out (files created with unconfined_t, under /etc/, to 
>> have a label of net_conf_t). My only experience with inserting custom-policy 
>> modules is with the  "allow rules" suggested by audit2allow. Other than that I 
>> have never done anything else policy-wise so bear with me :)
> 
>> I tried this:
> 
> You should remove the ; on the filetrans line
> 
> mkdir mytest; cd mytest;
> 
> echo "policy_module(mytest, 1.0.0)" > mytest.te;
> echo "gen_require(\` type unconfined_t, etc_t, net_conf_t; ')" >> mytest.te;
> echo"# allow unconfined_t to create files with type net_conf_t in etc_t
> directories. So unconfined_t should be able to traverse etc_t
> directories (search) and to add entries to the parent etc_t directories.
> this is all provided in the manage_files_pattern" >> mytest.te;
> echo "manage_files_pattern(unconfined_t, etc_t, net_conf_t)" >> mytest.te;
> echo "Now we must tell selinux to transition the type of the file
whoops this lines needs to be commented.

> created by unconfined_t in etc_t directories from the default etc_t type
> to the specified net_conf_t type." >> mytest.te;
> echo "filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)" >>
> mytest.te;
> 
> make -f /usr/share/selinux/devel/Makefile mytest.pp
> sudo semodule -i mytest.pp
> 
> touch /etc/test
> ls -alZ /etc/test
> rm /etc/test
> sudo semodule -r mytest.pp

We use already defined patterns in above example instead of raw policy
that is the policy that the kernel understands.

patterns, interfaces, permission sets, templates are all m4 macro-ish
things that aim to make policy development easier and more maintainable.

You can find the patterns we used above in the file below:
> /usr/share/selinux/devel/include/support/file_patterns.spt

There is also a interface provided in the sysnetwork module that
basically wraps the filetrans pattern up for us:

> #######################################
> ## <summary>
> ##	Create files in /etc with the type used for
> ##	the network config files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`sysnet_etc_filetrans_config',`
> 	gen_require(`
> 		type net_conf_t;
> 	')
> 
> 	files_etc_filetrans($1, net_conf_t, file)
> ')

So instead of using the filetrans_pattern in above example we could
simply call this:

sysnet_etc_filetrans_config(unconfined_t)

The above interface uses another macro that is defined in the files
module. Youll see that often.

The manage_files_pattern i used in my example can be replaced by:

sysnet_manage_config(unconfined_t

which is also defined in the sysnet module for us to use:

> #######################################
> ## <summary>
> ##	Create, read, write, and delete network config files.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`sysnet_manage_config',`
> 	gen_require(`
> 		type net_conf_t;
> 	')
> 
> 	files_search_etc($1)
> 	allow $1 net_conf_t:file manage_file_perms;
> 
> 	ifdef(`distro_redhat',`
> 		manage_files_pattern($1, net_conf_t, net_conf_t)
> 	')
> ')

You can find these provided interfaces here in the *.if files youll find
in the below directories:

> /usr/share/selinux/devel/include


> 
> 
> 
>> ------------------------------ cut here ---------------------------
> 
>> module localtran 1.0;
>> require {
>>         type unconfined_t;
>>         type etc_t;
>>         type net_conf_t;
>>         class file {write};
>>  }
> 
>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file);
> 
>> ------------------------------ cut here ---------------------------
> 
>> and then tried "checmodule -M -m localtran.te -o localtran.pp" but I get 
>> syntax errors with token "filetrans_pattern".  I did some googling and noticed 
>> the use of "files_type" and "manage_files" before filetrans_pattern (tried it but 
>> didn't work). I'm not sure if I need those and also the class directive.
> 
>> I would like to try this first and eventually get more sophisticated with your 
>> other suggestions.. Of course, this is just for learning purposes (not that I 
>> need unconfined_t to create files in /etc with net_conf_t ).
> 
>> Regards,
>> Jorge
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz74zoACgkQMlxVo39jgT/aXQCffy0tO3OZAlM/0QTelHUO0GpK
rtEAn01oZlyX0lH0jq9XJ/4KGCgZitEB
=nQ4q
-----END PGP SIGNATURE-----

More information about the selinux mailing list