need to superseed default file context for virtualbox files but no method works
Dominick Grift
domg472 at gmail.com
Mon Feb 21 15:22:42 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
> Hello All
>
> I am working on Fedora 13 and VirtualBox 3.2
>
> Currently I try to apply a selinux module that has been created with
> ubuntu to Fedora 13. Because I believe I understand what it should do I
> just tried to make it run under F-13.
> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
>
> After making the vbox.pp I can load it with "semodule -I vbox.pp" and
> the module shows up in semodule -l correctly.
> The motivation to change these file-contexts is to prepare for correct
> type-transition rules so they match the defined rules.
>
> Unfortunately the file-context is never set as needed and as described
> in the vbox.fc.
>
> When I check .../file_contexts the correct statements are included but
> they happen to appear later than something that was there before... (or
> is there if the module is removed):
> # matchpathcon /usr/lib/virtualbox/
> /usr/lib/virtualbox system_u:object_r:lib_t:s0
> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
> /usr/lib/virtualbox <<none>>
>
> Next I tried to do it with semanage fcontext -t
> [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t
> /usr/lib/virtualbox/VboxManage
> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage
> -rwxr-xr-x. root root system_u:object_r:lib_t:s0
> /usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file context specification.
You have to restore the context after that to actually apply the
specified file context.
>
> I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
> What is the problem? My understanding of what should happen might be
> wrong...
>
> Thanks for your answers.
>
> Andreas
>
> ---
> Conftents of vbox.fc
> /dev/vboxdrv
> gen_context(system_u:object_r:vbox_run_t,s0)
> /dev/vboxnetctl
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/(.*)
> gen_context(system_u:object_r:vbox_run_t,s0)
> /usr/lib/virtualbox/VBoxManage --
> gen_context(system_u:object_r:vbox_manage_exec_t,s0)
> /usr/lib/virtualbox/VBoxXPCOMIPCD --
> gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
> /usr/lib/virtualbox/VirtualBox --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSDL --
> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
> /usr/lib/virtualbox/VBoxSVC --
> gen_context(system_u:object_r:vbox_svc_exec_t,s0)
> HOME_DIR/.VirtualBox(/.*)?
> gen_context(system_u:object_r:vbox_run_t,s0)
These are specified file contexts. After loading these, you may need to
apply them by running restorecon on each of the paths
> ---
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ig0IACgkQMlxVo39jgT+GsQCgwY/aKi/np52twzBGvWdi84Hn
hY4An213+8fsY4noCBBAHFkl262OIJ2o
=VNCJ
-----END PGP SIGNATURE-----
More information about the selinux
mailing list