touch & how labels are created
Dominick Grift
domg472 at gmail.com
Sun Dec 5 19:08:42 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2010 07:46 PM, Dominick Grift wrote:
> On 12/05/2010 04:44 PM, Jorge Fábregas wrote:
>> On Saturday 04 December 2010 16:41:39 Dominick Grift wrote:
>>> So you could define a file type transition:
>>>
>>> if unconfined_t creates a file in directories with type etc_t, then
>>> transition from type etc_t to some specified type (net_conf_t in your
>>> example)
>>>
>>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)
>
>> Hello again!
>
>> I would like to try this out (files created with unconfined_t, under /etc/, to
>> have a label of net_conf_t). My only experience with inserting custom-policy
>> modules is with the "allow rules" suggested by audit2allow. Other than that I
>> have never done anything else policy-wise so bear with me :)
>
>> I tried this:
>
> You should remove the ; on the filetrans line
>
> mkdir mytest; cd mytest;
>
> echo "policy_module(mytest, 1.0.0)" > mytest.te;
> echo "gen_require(\` type unconfined_t, etc_t, net_conf_t; ')" >> mytest.te;
> echo"# allow unconfined_t to create files with type net_conf_t in etc_t
> directories. So unconfined_t should be able to traverse etc_t
> directories (search) and to add entries to the parent etc_t directories.
> this is all provided in the manage_files_pattern" >> mytest.te;
> echo "manage_files_pattern(unconfined_t, etc_t, net_conf_t)" >> mytest.te;
> echo "Now we must tell selinux to transition the type of the file
whoops this lines needs to be commented.
> created by unconfined_t in etc_t directories from the default etc_t type
> to the specified net_conf_t type." >> mytest.te;
> echo "filetrans_pattern(unconfined_t, etc_t, net_conf_t, file)" >>
> mytest.te;
>
> make -f /usr/share/selinux/devel/Makefile mytest.pp
> sudo semodule -i mytest.pp
>
> touch /etc/test
> ls -alZ /etc/test
> rm /etc/test
> sudo semodule -r mytest.pp
We use already defined patterns in above example instead of raw policy
that is the policy that the kernel understands.
patterns, interfaces, permission sets, templates are all m4 macro-ish
things that aim to make policy development easier and more maintainable.
You can find the patterns we used above in the file below:
> /usr/share/selinux/devel/include/support/file_patterns.spt
There is also a interface provided in the sysnetwork module that
basically wraps the filetrans pattern up for us:
> #######################################
> ## <summary>
> ## Create files in /etc with the type used for
> ## the network config files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`sysnet_etc_filetrans_config',`
> gen_require(`
> type net_conf_t;
> ')
>
> files_etc_filetrans($1, net_conf_t, file)
> ')
So instead of using the filetrans_pattern in above example we could
simply call this:
sysnet_etc_filetrans_config(unconfined_t)
The above interface uses another macro that is defined in the files
module. Youll see that often.
The manage_files_pattern i used in my example can be replaced by:
sysnet_manage_config(unconfined_t
which is also defined in the sysnet module for us to use:
> #######################################
> ## <summary>
> ## Create, read, write, and delete network config files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`sysnet_manage_config',`
> gen_require(`
> type net_conf_t;
> ')
>
> files_search_etc($1)
> allow $1 net_conf_t:file manage_file_perms;
>
> ifdef(`distro_redhat',`
> manage_files_pattern($1, net_conf_t, net_conf_t)
> ')
> ')
You can find these provided interfaces here in the *.if files youll find
in the below directories:
> /usr/share/selinux/devel/include
>
>
>
>> ------------------------------ cut here ---------------------------
>
>> module localtran 1.0;
>> require {
>> type unconfined_t;
>> type etc_t;
>> type net_conf_t;
>> class file {write};
>> }
>
>> filetrans_pattern(unconfined_t, etc_t, net_conf_t, file);
>
>> ------------------------------ cut here ---------------------------
>
>> and then tried "checmodule -M -m localtran.te -o localtran.pp" but I get
>> syntax errors with token "filetrans_pattern". I did some googling and noticed
>> the use of "files_type" and "manage_files" before filetrans_pattern (tried it but
>> didn't work). I'm not sure if I need those and also the class directive.
>
>> I would like to try this first and eventually get more sophisticated with your
>> other suggestions.. Of course, this is just for learning purposes (not that I
>> need unconfined_t to create files in /etc with net_conf_t ).
>
>> Regards,
>> Jorge
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz74zoACgkQMlxVo39jgT/aXQCffy0tO3OZAlM/0QTelHUO0GpK
rtEAn01oZlyX0lH0jq9XJ/4KGCgZitEB
=nQ4q
-----END PGP SIGNATURE-----
More information about the selinux
mailing list