problems labeling files

Michael Atighetchi matighet at bbn.com
Tue Jul 26 10:17:41 UTC 2011 

Hi Dominick,
responses inline below.

On 7/26/2011 11:25 AM, Dominick Grift wrote:
>
> On Tue, 2011-07-26 at 09:33 +0200, Michael Atighetchi wrote:
>> system_u:object_r:CZtp_exec_t:s0
>> /home/proxyuser/trunk/aps-base/crumple-zone/target/runSeed.sh regular
>> file       system_u:object_r:CZwd_exec_t:s0
> Maybe you have not declared the CZwd_exec_t type properly. Would need to
> see your policy to be able to determine that.
Here is the policy:

policy_module(CZwd,1.0.0)

########################################
#
# Declarations
#

type CZwd_t;
type CZwd_exec_t;
application_domain(CZwd_t, CZwd_exec_t)
role system_r types CZwd_t;

permissive CZwd_t;

########################################
#
# CZwd local policy
#

allow CZwd_t self:fifo_file manage_fifo_file_perms;
allow CZwd_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(CZwd_t)

files_read_etc_files(CZwd_t)

miscfiles_read_localization(CZwd_t)

gen_require(` type unconfined_t; role unconfined_r; ')
CZwd_role(unconfined_r, unconfined_t)



> Types have properties, For example some types are domain types others
> file type, executable file type, port types etc. etc.
>
> Type attributes are used to tell selinux what type it is dealing with.
> It is kind of like grouping/classifying/tagging types. Rules are in
> place that are specific to various groups of types.
>
> For you to be able to for example relabel a type of a file object, the
> type with need to be classified a file type. Because there is a rule
> that states that files can only be labelled with file types.
I see - the policy above doesn't seem to specify a property on the type.
> So if you have not classfied your CZwd_exec_t to be a file type then it
> may or may not be the cause of this issue.
>
How do I add the type to the policy? Any idea what other mistakes can 
cause this behavior.

For what it is worth, I generated the CZwd.* files by copying the files 
from a previous invocation of sepolgen and
replacing all references from the previous file to the new file. It is 
only for this process that I have the labeling problems.
For other processes, I explicitly called sepolgen from scratch.

I've attached the current set of files for CZwd.

Michael


-- 
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CZwd.fc
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110726/e177b864/attachment.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CZwd.if
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110726/e177b864/attachment-0001.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CZwd.sh
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110726/e177b864/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CZwd.te
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110726/e177b864/attachment-0003.pl

More information about the selinux mailing list