AW: selinux Digest, Vol 84, Issue 10
Andreas Bolatzki
andreas.bolatzki at secacon.com
Tue Feb 22 16:07:50 UTC 2011
Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from the locations /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-(
Thanks a lot for he help!
>-----Ursprüngliche Nachricht-----
>Von: selinux-bounces at lists.fedoraproject.org [mailto:selinux-bounces at lists.fedoraproject.org] Im Auftrag von selinux->request at lists.fedoraproject.org
>Gesendet: Dienstag, 22. Februar 2011 13:00
>An: selinux at lists.fedoraproject.org
>Betreff: selinux Digest, Vol 84, Issue 10
> 4. Re: need to superseed default file context for virtualbox
> files but no method works (Dominick Grift)
>
>Message: 4
>Date: Mon, 21 Feb 2011 16:22:42 +0100
>From: Dominick Grift <domg472 at gmail.com>
>Subject: Re: need to superseed default file context for virtualbox
> files but no method works
>To: selinux at lists.fedoraproject.org
>Message-ID: <4D628342.8070102 at gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>>On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
>> Hello All
>>
>> I am working on Fedora 13 and VirtualBox 3.2
>>
>> Currently I try to apply a selinux module that has been created with
>> ubuntu to Fedora 13. Because I believe I understand what it should do I
>> just tried to make it run under F-13.
>> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
>>
>> After making the vbox.pp I can load it with "semodule -I vbox.pp" and
>> the module shows up in semodule -l correctly.
>> The motivation to change these file-contexts is to prepare for correct
>> type-transition rules so they match the defined rules.
>>
>> Unfortunately the file-context is never set as needed and as described
>> in the vbox.fc.
>>
>> When I check .../file_contexts the correct statements are included but
>> they happen to appear later than something that was there before... (or
>> is there if the module is removed):
>> # matchpathcon /usr/lib/virtualbox/
>> /usr/lib/virtualbox system_u:object_r:lib_t:s0
>> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
>> /usr/lib/virtualbox <<none>>
>>
>> Next I tried to do it with semanage fcontext -t
>> [~]$ sudo semanage fcontext -a -t vbox_manage_exec_t
>> /usr/lib/virtualbox/VboxManage
>> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage
>> -rwxr-xr-x. root root system_u:object_r:lib_t:s0
>> /usr/lib/virtualbox/VBoxManage
>That semanage command above only adds a new file context specification.
>You have to restore the context after that to actually apply the
>specified file context.
>
ANDREAS: OK The problem is that something supersedes my module!
ANDREAS:The restorecon does nothing first...
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# chcon -t vbox_vbox_exec_t /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS:restorecon reset /usr/lib/virtualbox/VBoxSDL context system_u:object_r:vbox_vbox_exec_t:s0->system_u:object_r:lib_t:s0
ANDREAS: [~]#
ANDREAS: --->> Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-(
Thanks a lot for the help!
>
>> I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
>> What is the problem? My understanding of what should happen might be
>> wrong...
>>
>> Thanks for your answers.
>>
>> Andreas
>>
>> ---
>> Conftents of vbox.fc
>> /dev/vboxdrv
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /dev/vboxnetctl
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox/(.*)
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox/VBoxManage --
>> gen_context(system_u:object_r:vbox_manage_exec_t,s0)
>> /usr/lib/virtualbox/VBoxXPCOMIPCD --
>> gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
>> /usr/lib/virtualbox/VirtualBox --
>> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
>> /usr/lib/virtualbox/VBoxSDL --
>> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
>> /usr/lib/virtualbox/VBoxSVC --
>> gen_context(system_u:object_r:vbox_svc_exec_t,s0)
>> HOME_DIR/.VirtualBox(/.*)?
>> gen_context(system_u:object_r:vbox_run_t,s0)
>
>These are specified file contexts. After loading these, you may need to
>apply them by running restorecon on each of the paths
>
More information about the selinux
mailing list