razor policy
Dominick Grift
domg472 at gmail.com
Wed Dec 29 12:00:27 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
>
>>>>>>
>>>>>> P.S. On related note, how do $HOME files get their labeling?
>>>
>>> It depends, When all is right then files in Home get created with the
>>> proper contexts by means of "type transitions" basically rules.
>>>
>>> example:
>>>
>>> if a process with type pyzor_t creates a file in a directory with type
>>> user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
>>>
>>> But in gnome-session there is also restorecond -u watching contexts in home.
>>>
>>> Basically it compares contexts in home with whats defined in semanage
>>> fcontext (or homedir.template) and resets contexts accordingly. (this is
>>> some hack to ensure that user home dir content is labelled properly)
>>
>> That was my question, how do you define it in semanage fcontext?
>> I see explicit references to /root/ home, but what about users home?
>> Some sort of keyword/macro?
>
>
> I can see this in pyzor.fc
>
> HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
> HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
>
>
> But you won't find anything like this in semanage fcontext -l output. A bug?
No, home directory contexts are handled a bit different. theres a file
in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with
home directory contexts instead which gets recreated each time you build
the policy. i think its a relic of the past when we used user role
prefix to prefix our user home types. Nowadays its useful for user based
access control i guess.
>
>>>
>>>>>> # semanage fcontext -l|grep pyzor
>>>>>> has reference only to
>>>>>> /root/\.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
>>>>>>
>>>>>> but, directory gets proper labeling:
>>>>>>
>>>>>> # ls -dZ /home/vchepkov/.pyzor
>>>>>> drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
>>>>>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0bItsACgkQMlxVo39jgT+lqQCfUAqcVLBaHYhwjTf1KtPcd7p6
TEIAoL6IAzWx6/BhVEjIWbb6hnKh2qNZ
=rpyZ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list