need to superseed default file context for virtualbox files but no method works

Andreas Bolatzki andreas.bolatzki at secacon.com
Mon Feb 21 15:15:30 UTC 2011


Hello All 

I am working on Fedora 13 and VirtualBox 3.2

Currently I try to apply a selinux module that has been created with
ubuntu to Fedora 13. Because I believe I understand what it should do I
just tried to make it run under F-13.
I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.

After making the vbox.pp I can load it with "semodule -I vbox.pp" and
the module shows up in semodule -l correctly.
The motivation to change these file-contexts is to prepare for correct
type-transition rules so they match the defined rules.

Unfortunately the file-context is never set as needed and as described
in the vbox.fc.

When I check .../file_contexts the correct statements are included but
they happen to appear later than something that was there before... (or
is there if the module is removed):
# matchpathcon /usr/lib/virtualbox/
/usr/lib/virtualbox	system_u:object_r:lib_t:s0
# matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
/usr/lib/virtualbox	<<none>>

Next I tried to do it with semanage fcontext -t 
[~]$ sudo semanage fcontext  -a -t vbox_manage_exec_t
/usr/lib/virtualbox/VboxManage
[~]$ ls -lZ /usr/lib/virtualbox/VBoxManage 
-rwxr-xr-x. root root system_u:object_r:lib_t:s0
/usr/lib/virtualbox/VBoxManage

I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
What is the problem? My understanding of what should happen might be
wrong... 

Thanks for your answers.

Andreas

---
 Conftents of vbox.fc 
/dev/vboxdrv
gen_context(system_u:object_r:vbox_run_t,s0)
/dev/vboxnetctl
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox/(.*)
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox/VBoxManage      --
gen_context(system_u:object_r:vbox_manage_exec_t,s0)
/usr/lib/virtualbox/VBoxXPCOMIPCD   --
gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
/usr/lib/virtualbox/VirtualBox      --
gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
/usr/lib/virtualbox/VBoxSDL         --
gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
/usr/lib/virtualbox/VBoxSVC 	    --
gen_context(system_u:object_r:vbox_svc_exec_t,s0)
HOME_DIR/.VirtualBox(/.*)?
gen_context(system_u:object_r:vbox_run_t,s0)
---


More information about the selinux mailing list