razor policy

Daniel J Walsh dwalsh at redhat.com
Mon Jan 3 21:17:16 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2010 07:00 AM, Dominick Grift wrote:
> On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
> 
>>>>>>>
>>>>>>> P.S. On related note, how do $HOME files get their labeling?
>>>>
>>>> It depends, When all is right then files in Home get created with the
>>>> proper contexts by means of "type transitions" basically rules.
>>>>
>>>> example:
>>>>
>>>> if a process with type pyzor_t creates a file in a directory with type
>>>> user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
>>>>
>>>> But in gnome-session there is also restorecond -u watching contexts in home.
>>>>
>>>> Basically it compares contexts in home with whats defined in semanage
>>>> fcontext (or homedir.template) and resets contexts accordingly. (this is
>>>> some hack to ensure that user home dir content is labelled properly)
>>>
>>> That was my question, how do you define it in semanage fcontext?
>>> I see explicit references to /root/ home, but what about users home? 
>>> Some sort of keyword/macro?
> 
> 
>> I can see this in pyzor.fc
> 
>> HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
>> HOME_DIR/\.spamd(/.*)?		gen_context(system_u:object_r:pyzor_home_t,s0)
> 
> 
>> But you won't find anything like this in semanage fcontext -l output. A bug?
> 
> No, home directory contexts are handled a bit different. theres a file
> in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with
> home directory contexts instead which gets recreated each time you build
> the policy. i think its a relic of the past when we used user role
> prefix to prefix our user home types. Nowadays its useful for user based
> access control i guess.
> 
> 
>>>>
>>>>>>> # semanage fcontext -l|grep pyzor
>>>>>>> has reference only to 
>>>>>>> /root/\.pyzor(/.*)?                                all files          system_u:object_r:pyzor_home_t:s0 
>>>>>>>
>>>>>>> but, directory gets proper labeling:
>>>>>>>
>>>>>>> # ls -dZ /home/vchepkov/.pyzor
>>>>>>> drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
>>>>>>>
> 
> 
> 
Razor and pyzor policies should be back into Fedora with the next policy
update--
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAk0iPNwACgkQrlYvE4MpobNEpwCbB6PpVH92/BleVMbChfZP+MLC
sMYAljvnXDO0RtjuR3ygkNTeoQ6Nfqk=
=k1VI
-----END PGP SIGNATURE-----

More information about the selinux mailing list