need to superseed default file context for virtualbox files but no method works

Dominick Grift domg472 at gmail.com
Mon Feb 21 15:22:42 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
> Hello All 
> 
> I am working on Fedora 13 and VirtualBox 3.2
> 
> Currently I try to apply a selinux module that has been created with
> ubuntu to Fedora 13. Because I believe I understand what it should do I
> just tried to make it run under F-13.
> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
> 
> After making the vbox.pp I can load it with "semodule -I vbox.pp" and
> the module shows up in semodule -l correctly.
> The motivation to change these file-contexts is to prepare for correct
> type-transition rules so they match the defined rules.
> 
> Unfortunately the file-context is never set as needed and as described
> in the vbox.fc.
> 
> When I check .../file_contexts the correct statements are included but
> they happen to appear later than something that was there before... (or
> is there if the module is removed):
> # matchpathcon /usr/lib/virtualbox/
> /usr/lib/virtualbox	system_u:object_r:lib_t:s0
> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
> /usr/lib/virtualbox	<<none>>
> 
> Next I tried to do it with semanage fcontext -t 
> [~]$ sudo semanage fcontext  -a -t vbox_manage_exec_t
> /usr/lib/virtualbox/VboxManage
> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage 
> -rwxr-xr-x. root root system_u:object_r:lib_t:s0
> /usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file context specification.
You have to restore the context after  that to actually apply the
specified file context.

> 
> I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
> What is the problem? My understanding of what should happen might be
> wrong... 
> 
> Thanks for your answers.
> 
> Andreas
> 
> ---
>  Conftents of vbox.fc 
> /dev/vboxdrv
> gen_context(system_u:object_r:vbox_run_t,s0)
> /dev/vboxnetctl
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/(.*)
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/VBoxManage      --
> gen_context(system_u:object_r:vbox_manage_exec_t,s0)
> /usr/lib/virtualbox/VBoxXPCOMIPCD   --
> gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
> /usr/lib/virtualbox/VirtualBox      --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSDL         --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSVC 	    --
> gen_context(system_u:object_r:vbox_svc_exec_t,s0)
> HOME_DIR/.VirtualBox(/.*)?
> gen_context(system_u:object_r:vbox_run_t,s0)

These are specified file contexts. After loading these, you may need to
apply them by running restorecon on each of the paths

> ---
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ig0IACgkQMlxVo39jgT+GsQCgwY/aKi/np52twzBGvWdi84Hn
hY4An213+8fsY4noCBBAHFkl262OIJ2o
=VNCJ
-----END PGP SIGNATURE-----


More information about the selinux mailing list