FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-20-2007, 12:31 PM
Laurent Jacquot
 
Default files contexts override via policy module

Hello,
I am sure this is a FAQ or a feature, but I want to know how to work
around:

I have cxoffice installed in my F8 home dir and I want some lib labeled
as textrel_shlib_t, but I cannot override the default user_home_t home
label via a policy module.

NOTE1 it works if the directory is not under /home
NOTE2 there is nothing in the logs if it fails
NOTE3 It has been so since the introduction of modular policy in selinux

What is what I have tried so far in F8.
[root@jack sel]#cat local.fc
#cxoffice
#/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
system_ubject_r:textrel_shlib_t:s0

/home/alex/cxoffice/lib/wine/kernel32.dll.so --
system_ubject_r:textrel_shlib_t:s0

[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
[root@jack sel]#semodule -i local.pp
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x alex alex
system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x alex alex
system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so


(If i use the system-config-selinux UI, I can see the new entry in the
tab context among all the regexp)

Using semanage, it works:
[root@jack sel]#semodule -r local
[root@jack sel]#semanage fcontext -a -t
textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x alex alex
system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
[root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
-rwxr-xr-x alex alex
system_ubject_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so

and the custom rule appears in system-config-selinux UI at the end of
the policy.

So how do I have my module install my contexts the same way as semanage?
Should I bugzilla it?

BTW, how do system-config-selinux browse the file context policy? Is it
possible to see also the rules and type definition?

TIA
jk

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-20-2007, 12:39 PM
Daniel J Walsh
 
Default files contexts override via policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laurent Jacquot wrote:
> Hello,
> I am sure this is a FAQ or a feature, but I want to know how to work
> around:
>
> I have cxoffice installed in my F8 home dir and I want some lib labeled
> as textrel_shlib_t, but I cannot override the default user_home_t home
> label via a policy module.
>
> NOTE1 it works if the directory is not under /home
> NOTE2 there is nothing in the logs if it fails
> NOTE3 It has been so since the introduction of modular policy in selinux
>
> What is what I have tried so far in F8.
> [root@jack sel]#cat local.fc
> #cxoffice
> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
> system_ubject_r:textrel_shlib_t:s0
>
> /home/alex/cxoffice/lib/wine/kernel32.dll.so --
> system_ubject_r:textrel_shlib_t:s0
>
> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
> [root@jack sel]#semodule -i local.pp
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>
>
> (If i use the system-config-selinux UI, I can see the new entry in the
> tab context among all the regexp)
>
> Using semanage, it works:
> [root@jack sel]#semodule -r local
> [root@jack sel]#semanage fcontext -a -t
> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_ubject_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>
> and the custom rule appears in system-config-selinux UI at the end of
> the policy.
>
> So how do I have my module install my contexts the same way as semanage?
> Should I bugzilla it?
>
> BTW, how do system-config-selinux browse the file context policy? Is it
> possible to see also the rules and type definition?
>
> TIA
> jk
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a bug in libsemanage or in the file context labeling
algorithm.

I believe matchpatcon is reading in file_contexts,
file_contexts.homedirs, file_contexts.local and taking the last entry.


So using semodule to add a pp file updates the file_contexts file, in
which case the homedirs is overriding. semanage fcontext updates the
file_contexts.local.


If you tried

HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
system_ubject_r:textrel_shlib_t:s0

It should update the file_context.homedirs file.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQuOtrlYvE4MpobMRAuuCAJ4sXPEh9DMDNxUV+avHT0 9uvAa62QCfbneq
YBf3ZtQ4UGTOrOys4K4FGps=
=VT+4
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-20-2007, 01:15 PM
Laurent Jacquot
 
Default files contexts override via policy module

Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Laurent Jacquot wrote:
> > Hello,
> > I am sure this is a FAQ or a feature, but I want to know how to work
> > around:
> >
> > I have cxoffice installed in my F8 home dir and I want some lib labeled
> > as textrel_shlib_t, but I cannot override the default user_home_t home
> > label via a policy module.
> >
> > NOTE1 it works if the directory is not under /home
> > NOTE2 there is nothing in the logs if it fails
> > NOTE3 It has been so since the introduction of modular policy in selinux
> >
> > What is what I have tried so far in F8.
> > [root@jack sel]#cat local.fc
> > #cxoffice
> > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
> > system_ubject_r:textrel_shlib_t:s0
> >
> > /home/alex/cxoffice/lib/wine/kernel32.dll.so --
> > system_ubject_r:textrel_shlib_t:s0
> >
> > [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
> > [root@jack sel]#semodule -i local.pp
> > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> >
> >
> > (If i use the system-config-selinux UI, I can see the new entry in the
> > tab context among all the regexp)
> >
> > Using semanage, it works:
> > [root@jack sel]#semodule -r local
> > [root@jack sel]#semanage fcontext -a -t
> > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_ubject_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> >
> > and the custom rule appears in system-config-selinux UI at the end of
> > the policy.
> >
> > So how do I have my module install my contexts the same way as semanage?
> > Should I bugzilla it?
> >
> > BTW, how do system-config-selinux browse the file context policy? Is it
> > possible to see also the rules and type definition?
> >
> > TIA
> > jk
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> This looks like a bug in libsemanage or in the file context labeling
> algorithm.
>
> I believe matchpatcon is reading in file_contexts,
> file_contexts.homedirs, file_contexts.local and taking the last entry.
>
>
> So using semodule to add a pp file updates the file_contexts file, in
> which case the homedirs is overriding. semanage fcontext updates the
> file_contexts.local.
>
>
> If you tried
>
> HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
> system_ubject_r:textrel_shlib_t:s0
>
> It should update the file_context.homedirs file.
>
>
I confirm this works. Thanks!
Should I bugzilla it or is it the way it should be?

jk


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-20-2007, 01:56 PM
Daniel J Walsh
 
Default files contexts override via policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laurent Jacquot wrote:
> Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Laurent Jacquot wrote:
>>> Hello,
>>> I am sure this is a FAQ or a feature, but I want to know how to work
>>> around:
>>>
>>> I have cxoffice installed in my F8 home dir and I want some lib labeled
>>> as textrel_shlib_t, but I cannot override the default user_home_t home
>>> label via a policy module.
>>>
>>> NOTE1 it works if the directory is not under /home
>>> NOTE2 there is nothing in the logs if it fails
>>> NOTE3 It has been so since the introduction of modular policy in selinux
>>>
>>> What is what I have tried so far in F8.
>>> [root@jack sel]#cat local.fc
>>> #cxoffice
>>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
>>> system_ubject_r:textrel_shlib_t:s0
>>>
>>> /home/alex/cxoffice/lib/wine/kernel32.dll.so --
>>> system_ubject_r:textrel_shlib_t:s0
>>>
>>> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
>>> [root@jack sel]#semodule -i local.pp
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>>
>>>
>>> (If i use the system-config-selinux UI, I can see the new entry in the
>>> tab context among all the regexp)
>>>
>>> Using semanage, it works:
>>> [root@jack sel]#semodule -r local
>>> [root@jack sel]#semanage fcontext -a -t
>>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_ubject_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>> -rwxr-xr-x alex alex
>>> system_ubject_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>>
>>> and the custom rule appears in system-config-selinux UI at the end of
>>> the policy.
>>>
>>> So how do I have my module install my contexts the same way as semanage?
>>> Should I bugzilla it?
>>>
>>> BTW, how do system-config-selinux browse the file context policy? Is it
>>> possible to see also the rules and type definition?
>>>
>>> TIA
>>> jk
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> This looks like a bug in libsemanage or in the file context labeling
>> algorithm.
>>
>> I believe matchpatcon is reading in file_contexts,
>> file_contexts.homedirs, file_contexts.local and taking the last entry.
>>
>>
>> So using semodule to add a pp file updates the file_contexts file, in
>> which case the homedirs is overriding. semanage fcontext updates the
>> file_contexts.local.
>>
>>
>> If you tried
>>
>> HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe --
>> system_ubject_r:textrel_shlib_t:s0
>>
>> It should update the file_context.homedirs file.
>>
>>
> I confirm this works. Thanks!
> Should I bugzilla it or is it the way it should be?
>
> jk
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can bugzilla it, but it probably should be brought up for discussion
on the <selinux@tycho.nsa.gov> list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS
8zDcYbim3RQLRTEHILlfEtw=
=LxQ0
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org