files contexts override via policy module
Hello,
I am sure this is a FAQ or a feature, but I want to know how to work around: I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module. NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux What is what I have tried so far in F8. [root@jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0 [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root@jack sel]#semodule -i local.pp [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so (If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp) Using semanage, it works: [root@jack sel]#semodule -r local [root@jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so and the custom rule appears in system-config-selinux UI at the end of the policy. So how do I have my module install my contexts the same way as semanage? Should I bugzilla it? BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition? TIA jk -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
files contexts override via policy module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Laurent Jacquot wrote: > Hello, > I am sure this is a FAQ or a feature, but I want to know how to work > around: > > I have cxoffice installed in my F8 home dir and I want some lib labeled > as textrel_shlib_t, but I cannot override the default user_home_t home > label via a policy module. > > NOTE1 it works if the directory is not under /home > NOTE2 there is nothing in the logs if it fails > NOTE3 It has been so since the introduction of modular policy in selinux > > What is what I have tried so far in F8. > [root@jack sel]#cat local.fc > #cxoffice > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- > system_u:object_r:textrel_shlib_t:s0 > > /home/alex/cxoffice/lib/wine/kernel32.dll.so -- > system_u:object_r:textrel_shlib_t:s0 > > [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc > [root@jack sel]#semodule -i local.pp > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > (If i use the system-config-selinux UI, I can see the new entry in the > tab context among all the regexp) > > Using semanage, it works: > [root@jack sel]#semodule -r local > [root@jack sel]#semanage fcontext -a -t > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > and the custom rule appears in system-config-selinux UI at the end of > the policy. > > So how do I have my module install my contexts the same way as semanage? > Should I bugzilla it? > > BTW, how do system-config-selinux browse the file context policy? Is it > possible to see also the rules and type definition? > > TIA > jk > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a bug in libsemanage or in the file context labeling algorithm. I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry. So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local. If you tried HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0 It should update the file_context.homedirs file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQuOtrlYvE4MpobMRAuuCAJ4sXPEh9DMDNxUV+avHT0 9uvAa62QCfbneq YBf3ZtQ4UGTOrOys4K4FGps= =VT+4 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
files contexts override via policy module
Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Laurent Jacquot wrote: > > Hello, > > I am sure this is a FAQ or a feature, but I want to know how to work > > around: > > > > I have cxoffice installed in my F8 home dir and I want some lib labeled > > as textrel_shlib_t, but I cannot override the default user_home_t home > > label via a policy module. > > > > NOTE1 it works if the directory is not under /home > > NOTE2 there is nothing in the logs if it fails > > NOTE3 It has been so since the introduction of modular policy in selinux > > > > What is what I have tried so far in F8. > > [root@jack sel]#cat local.fc > > #cxoffice > > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- > > system_u:object_r:textrel_shlib_t:s0 > > > > /home/alex/cxoffice/lib/wine/kernel32.dll.so -- > > system_u:object_r:textrel_shlib_t:s0 > > > > [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc > > [root@jack sel]#semodule -i local.pp > > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > > > > (If i use the system-config-selinux UI, I can see the new entry in the > > tab context among all the regexp) > > > > Using semanage, it works: > > [root@jack sel]#semodule -r local > > [root@jack sel]#semanage fcontext -a -t > > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > > and the custom rule appears in system-config-selinux UI at the end of > > the policy. > > > > So how do I have my module install my contexts the same way as semanage? > > Should I bugzilla it? > > > > BTW, how do system-config-selinux browse the file context policy? Is it > > possible to see also the rules and type definition? > > > > TIA > > jk > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This looks like a bug in libsemanage or in the file context labeling > algorithm. > > I believe matchpatcon is reading in file_contexts, > file_contexts.homedirs, file_contexts.local and taking the last entry. > > > So using semodule to add a pp file updates the file_contexts file, in > which case the homedirs is overriding. semanage fcontext updates the > file_contexts.local. > > > If you tried > > HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- > system_u:object_r:textrel_shlib_t:s0 > > It should update the file_context.homedirs file. > > I confirm this works. Thanks! Should I bugzilla it or is it the way it should be? jk -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
files contexts override via policy module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Laurent Jacquot wrote: > Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Laurent Jacquot wrote: >>> Hello, >>> I am sure this is a FAQ or a feature, but I want to know how to work >>> around: >>> >>> I have cxoffice installed in my F8 home dir and I want some lib labeled >>> as textrel_shlib_t, but I cannot override the default user_home_t home >>> label via a policy module. >>> >>> NOTE1 it works if the directory is not under /home >>> NOTE2 there is nothing in the logs if it fails >>> NOTE3 It has been so since the introduction of modular policy in selinux >>> >>> What is what I have tried so far in F8. >>> [root@jack sel]#cat local.fc >>> #cxoffice >>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> /home/alex/cxoffice/lib/wine/kernel32.dll.so -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc >>> [root@jack sel]#semodule -i local.pp >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> >>> (If i use the system-config-selinux UI, I can see the new entry in the >>> tab context among all the regexp) >>> >>> Using semanage, it works: >>> [root@jack sel]#semodule -r local >>> [root@jack sel]#semanage fcontext -a -t >>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> and the custom rule appears in system-config-selinux UI at the end of >>> the policy. >>> >>> So how do I have my module install my contexts the same way as semanage? >>> Should I bugzilla it? >>> >>> BTW, how do system-config-selinux browse the file context policy? Is it >>> possible to see also the rules and type definition? >>> >>> TIA >>> jk >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> This looks like a bug in libsemanage or in the file context labeling >> algorithm. >> >> I believe matchpatcon is reading in file_contexts, >> file_contexts.homedirs, file_contexts.local and taking the last entry. >> >> >> So using semodule to add a pp file updates the file_contexts file, in >> which case the homedirs is overriding. semanage fcontext updates the >> file_contexts.local. >> >> >> If you tried >> >> HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- >> system_u:object_r:textrel_shlib_t:s0 >> >> It should update the file_context.homedirs file. >> >> > I confirm this works. Thanks! > Should I bugzilla it or is it the way it should be? > > jk > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can bugzilla it, but it probably should be brought up for discussion on the <selinux@tycho.nsa.gov> list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS 8zDcYbim3RQLRTEHILlfEtw= =LxQ0 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| All times are GMT. The time now is 06:18 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.