AW: selinux Digest, Vol 84, Issue 10

Andreas Bolatzki andreas.bolatzki at secacon.com
Tue Feb 22 16:07:50 UTC 2011


Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from the locations /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-(

Thanks a lot for he help!

>-----Ursprüngliche Nachricht-----
>Von: selinux-bounces at lists.fedoraproject.org [mailto:selinux-bounces at lists.fedoraproject.org] Im Auftrag von selinux->request at lists.fedoraproject.org
>Gesendet: Dienstag, 22. Februar 2011 13:00
>An: selinux at lists.fedoraproject.org
>Betreff: selinux Digest, Vol 84, Issue 10
>   4. Re: need to superseed default file context for virtualbox
>      files but	no method works (Dominick Grift)
>
>Message: 4
>Date: Mon, 21 Feb 2011 16:22:42 +0100
>From: Dominick Grift <domg472 at gmail.com>
>Subject: Re: need to superseed default file context for virtualbox
>	files but	no method works
>To: selinux at lists.fedoraproject.org
>Message-ID: <4D628342.8070102 at gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>>On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
>> Hello All 
>> 
>> I am working on Fedora 13 and VirtualBox 3.2
>> 
>> Currently I try to apply a selinux module that has been created with
>> ubuntu to Fedora 13. Because I believe I understand what it should do I
>> just tried to make it run under F-13.
>> I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
>> 
>> After making the vbox.pp I can load it with "semodule -I vbox.pp" and
>> the module shows up in semodule -l correctly.
>> The motivation to change these file-contexts is to prepare for correct
>> type-transition rules so they match the defined rules.
>> 
>> Unfortunately the file-context is never set as needed and as described
>> in the vbox.fc.
>> 
>> When I check .../file_contexts the correct statements are included but
>> they happen to appear later than something that was there before... (or
>> is there if the module is removed):
>> # matchpathcon /usr/lib/virtualbox/
>> /usr/lib/virtualbox	system_u:object_r:lib_t:s0
>> # matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
>> /usr/lib/virtualbox	<<none>>
>> 
>> Next I tried to do it with semanage fcontext -t 
>> [~]$ sudo semanage fcontext  -a -t vbox_manage_exec_t
>> /usr/lib/virtualbox/VboxManage
>> [~]$ ls -lZ /usr/lib/virtualbox/VBoxManage 
>> -rwxr-xr-x. root root system_u:object_r:lib_t:s0
>> /usr/lib/virtualbox/VBoxManage
>That semanage command above only adds a new file context specification.
>You have to restore the context after  that to actually apply the
>specified file context.
>
ANDREAS: OK The problem is that something supersedes my module!
ANDREAS:The restorecon does nothing first... 
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# chcon  -t vbox_vbox_exec_t  /usr/lib/virtualbox/VBoxSDL
ANDREAS: [~]# restorecon -v /usr/lib/virtualbox/VBoxSDL
ANDREAS:restorecon reset /usr/lib/virtualbox/VBoxSDL context system_u:object_r:vbox_vbox_exec_t:s0->system_u:object_r:lib_t:s0
ANDREAS: [~]#
ANDREAS: --->> Finally I found the problem: The .fc file was really still using the ubuntu directory structure (/usr/bin/virtualbox) unfortunately I didn't notice that this was different from /usr/bin/ and /usr/lib/virtualbox where I found the binaries in question. --> blind me! :-( 

Thanks a lot for the help! 

> 
>> I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
>> What is the problem? My understanding of what should happen might be
>> wrong... 
>> 
>> Thanks for your answers.
>> 
>> Andreas
>> 
>> ---
>>  Conftents of vbox.fc 
>> /dev/vboxdrv
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /dev/vboxnetctl
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox/(.*)
>> gen_context(system_u:object_r:vbox_run_t,s0)
>> /usr/lib/virtualbox/VBoxManage      --
>> gen_context(system_u:object_r:vbox_manage_exec_t,s0)
>> /usr/lib/virtualbox/VBoxXPCOMIPCD   --
>> gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
>> /usr/lib/virtualbox/VirtualBox      --
>> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
>> /usr/lib/virtualbox/VBoxSDL         --
>> gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
>> /usr/lib/virtualbox/VBoxSVC 	    --
>> gen_context(system_u:object_r:vbox_svc_exec_t,s0)
>> HOME_DIR/.VirtualBox(/.*)?
>> gen_context(system_u:object_r:vbox_run_t,s0)
>
>These are specified file contexts. After loading these, you may need to
>apply them by running restorecon on each of the paths
>



More information about the selinux mailing list