how to set permissions to files with a patern in the file hame
Hi All,*
I´m a bit newbie with SELinux (nothing more than watch to sealert -b and do what it says...) and now I want to learn more about it because I have a problem: I need to set the permissions to files that are going to be created, but this permissions depends on the name of the file. Is it possible? by the way, any doc about SELinux for begginers? the oficial doc scares ;-) Thanks in advance,* ESG -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
On 02/16/2010 09:21 AM, ESGLinux wrote:
> Hi All, > > I´m a bit newbie with SELinux (nothing more than watch to sealert -b and do > what it says...) and now I want to learn more about it because I have a > problem: > > I need to set the permissions to files that are going to be created, but > this permissions depends on the name of the file. Is it possible? I do not believe this is possible. > > by the way, any doc about SELinux for begginers? the oficial doc scares ;-) http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/ > > Thanks in advance, > > ESG > > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
2010/2/16 Dominick Grift <domg472@gmail.com>
On 02/16/2010 09:21 AM, ESGLinux wrote: > Hi All, > > I´m a bit newbie with SELinux (nothing more than watch to sealert -b and do > what it says...) and now I want to learn more about it because I have a > problem: > > I need to set the permissions to files that are going to be created, but > this permissions depends on the name of the file. Is it possible? I do not believe this is possible. I thought it is the same as you can see in the file*/etc/selinux/targeted/contexts/files/file_contextsfor example/mnt(/[^/]*) * *-l * * *system_u:object_r:mnt_t:s0 with a pattern you assing a context. So I thought you can use this to assing perm or modify the access to the files. Am I wrong?* > > by the way, any doc about SELinux for begginers? the oficial doc scares ;-) http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/ Thanks, I´m going to study this doc,* ESG* * > > Thanks in advance, > > ESG > > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
On 02/16/2010 11:05 AM, ESGLinux wrote:
> 2010/2/16 Dominick Grift <domg472@gmail.com> > >> On 02/16/2010 09:21 AM, ESGLinux wrote: >>> Hi All, >>> >>> I´m a bit newbie with SELinux (nothing more than watch to sealert -b and >> do >>> what it says...) and now I want to learn more about it because I have a >>> problem: >>> >>> I need to set the permissions to files that are going to be created, but >>> this permissions depends on the name of the file. Is it possible? >> >> I do not believe this is possible. >> > > I thought it is the same as you can see in the > file /etc/selinux/targeted/contexts/files/file_contexts > for example > /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 > > with a pattern you assing a context. So I thought you can use this to assing > perm or modify the access to the files. > > Am I wrong? Well you can use file context specifications to restore contexts of files to the specified context but i believe this often will not work for creating files. Unless you use restorecond. Restorecond is a daemon that monitors the filesystem and restores locations to the specified contexts as soon as they are created. But to really create a file with a specified context requires a file type transitions. File type transitions depend on which process type creates which class of file object where. So any example of a type transition: if process with type bla_t creates a file in a directory with type hello_t, than type transition to type bla_hello_file_t if a process with type bla_t creates a sock_file in a directory with type hello_t, than type transition to type bla_hello_sock_file_t if a process with type bla_t creates a file in a directory with type bye_t, than type transition to type bla_bye_file_t if a process with type foo_t creates a dir in a directory wuth type hello_t, than type transition to type foo_hello_dir_t So there are possibilities but you cannot use file names to specify type transitions. You can use file names for file context specifications however but that requires that you enable and configure restorecond, and it does not actually create the objects with the specified type. The restorecond daemon just restores the context of a file to the specified context as soon as it is created. An example of restorecond is how it runs in Fedora 12 in a gnome session. (restorecond -u) > > >>> >>> by the way, any doc about SELinux for begginers? the oficial doc scares >> ;-) >> >> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/ > > > Thanks, I´m going to study this doc, > > ESG > > > > >> >>> >>> Thanks in advance, >>> >>> ESG >>> >>> >>> >>> >>> -- >>> selinux mailing list >>> selinux@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
ESG, Take a step back and explain to us what process is creating these files. *What procesess are you
trying to prevent from reading these files? any process that can create a file, touch, vim... * Who is creating the files? any user that can log in the system. * If it is one process creating the files then you can add SELinux awareness to the tool and get the files created with the "correct" context. Hope my answer explain a bit more the problem* Thanks* ESG -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
On 02/17/2010 03:27 AM, ESGLinux wrote:
>> >> >> >> ESG, Take a step back and explain to us what process is creating these >> files. What procesess are you >> trying to prevent from reading these files? >> >> any process that can create a file, touch, vim... > > > >> Who is creating the files? >> > > any user that can log in the system. > >> >> If it is one process creating the files then you can add SELinux awareness >> to the tool and get the files created with the "correct" context. >> > > Hope my answer explain a bit more the problem > > Thanks > > ESG > > > > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux What is the secutity separation on the files than. Can you give me an more definition of what these files are. Are you trying to allow a file to be created and depending on its name, it can be shared by a confined service? You have not explained what your security goal is. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
how to set permissions to files with a patern in the file hame
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux What is the secutity separation on the files than. Â*Can you give me an more definition of what these files are. Are you trying to allow a file to be created and depending on its name, it can be shared by a confined service? You have not explained what your security goal is. i´ll try to explain. I have a big directory with thousands of files. All of this files match a pattern in the file name (files that don´t match don´t mind). What I want is that when a new file is created, the users or groups that can access the file are already fixed (is like putting g+s to a directory and all the files created have the directory group) What I want, is to simulate this:Â*http://en.wikipedia.org/wiki/Resource_Access_Control_Facility Look at this: "In addition to being one of the most mature and scalable security monitors in computing, it has some interesting features that are not often found inÂ*Microsoft WindowsÂ*orÂ*UnixÂ*environments. It can, for example, set permissions for file patternsÂ*— that is, set the permissions even for files that do not yet exist" is this possible to simulate with SELinux or am I totally wrong? I hope now it will clearer Greetings and thaks for your answers ESG -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 10:20 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.