Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Question on semanage fcontext -a (http://www.linux-archive.org/fedora-selinux-support/45297-question-semanage-fcontext.html)

"Shintaro Fujiwara" 02-02-2008 07:02 AM

Question on semanage fcontext -a
 
Hi, I read man semanage and found that semanage fcontext -a uses restorecon.

Does that mean I don't have to restorecon after I semanage fcontext -a ?

I just did restorecon fcontext -a and relabeled the system and found that file context survived.


Thanks in advance.
--
http://intrajp.no-ip.com/ Home Page
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 02-04-2008 12:26 PM

Question on semanage fcontext -a
 
On Sat, 2008-02-02 at 17:02 +0900, Shintaro Fujiwara wrote:
> Hi, I read man semanage and found that semanage fcontext -a uses
> restorecon.
>
> Does that mean I don't have to restorecon after I semanage fcontext
> -a ?

semanage fcontext -a adds entries to the local file contexts
configuration. It doesn't directly relabel any files. Then, after
you've run semanage fcontext -a to add the entry, you can run restorecon
or other relabeling programs to actually relabel the files to the
context you've specified in the entry.

> I just did restorecon fcontext -a and relabeled the system and found
> that file context survived.

Yes, the relabeling programs (setfiles, restorecon, fixfiles) all
consult the file contexts configuration, and semanage fcontext -a is how
you add local entries to that configuration. The other way to add
entries is by inserting a loadable policy module with its own .fc file.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Shintaro Fujiwara" 02-04-2008 01:51 PM

Question on semanage fcontext -a
 
2008/2/4, Stephen Smalley <sds@tycho.nsa.gov>:

On Sat, 2008-02-02 at 17:02 +0900, Shintaro Fujiwara wrote:
> Hi, I read man semanage and found that semanage fcontext -a uses
> restorecon.
>
> Does that mean I don't have to restorecon after I semanage fcontext

> -a ?

semanage fcontext -a adds entries to the local file contexts
configuration.**It doesn't directly relabel any files.**Then, after
you've run semanage fcontext -a to add the entry, you can run restorecon

or other relabeling programs to actually relabel the files to the
context you've specified in the entry.
OK, I understand.
So, I have to relabel by restorecon after I semanage fcontext -a path, right ?


I already re-written my program (segatex) to restorecon after semanage fcontext -a -m.

Thank you very much.



> I just did restorecon fcontext -a and relabeled the system and found
> that file context survived.

Yes, the relabeling programs (setfiles, restorecon, fixfiles) all
consult the file contexts configuration, and semanage fcontext -a is how

you add local entries to that configuration.**The other way to add
entries is by inserting a loadable policy module with its own .fc file.

--
Stephen Smalley
National Security Agency




--
http://intrajp.no-ip.com/ Home Page
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 02-04-2008 02:01 PM

Question on semanage fcontext -a
 
On Mon, 2008-02-04 at 23:51 +0900, Shintaro Fujiwara wrote:
> 2008/2/4, Stephen Smalley <sds@tycho.nsa.gov>:
> semanage fcontext -a adds entries to the local file contexts
> configuration. It doesn't directly relabel any files. Then,
> after
> you've run semanage fcontext -a to add the entry, you can run
> restorecon
> or other relabeling programs to actually relabel the files to
> the
> context you've specified in the entry.
>
> OK, I understand.
> So, I have to relabel by restorecon after I semanage fcontext -a path,
> right ?

Yes. You don't have to do a full relabel, of course, just a restorecon
of the relevant directories and/or files.

> I already re-written my program (segatex) to restorecon after semanage
> fcontext -a -m.
>
> Thank you very much.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 03-18-2008 12:45 PM

Question on semanage fcontext -a
 
On Mon, 2008-03-17 at 16:16 -0400, Tim Taylor wrote:
> On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> >
> > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > > ttaylor wrote:
> > > > Does anything special have to be done to cause SELinux to start
> > using newly
> > > > added local filecontexts? What I'm finding is that if I use
> > semanage
> > > > fcontext -a to add a local filecontext definition, it is not used
> > by
> > > > restorecon unless I specify the "-F" option. Without the "-F"
> > option,
> > > > restorecon -vv <file_path> gives the following message:
> > > >
> > > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > > <current_context>
> > > >
> > > > but restorecon -vv -F <file_path> gives this:
> > > >
> > > > /sbin/restorecon reset <file_path> context
> > <current_context>-><new_context>
> > >
> > > This is probably because <current_context> is a customizable type
> > like
> > > httpd_sys_content_t; objects with these types don't get reset by
> > > restorecon unless you use -F. I'm not sure how to find out which
> > types
> > > are customizable off the top of my head though.
> >
> > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> >
> > Dan - I thought we had discussed reducing that set significantly since
> > it was originally to avoid clobbering locally-set types upon a
> > filesystem relabel prior to the introduction of semanage, but with
> > users
> > now able to add local file contexts easily via semanage fcontext -a,
> > it
> > isn't as necessary.
>
> This is exactly my situation. I am using Fedora 8 with all the latest
> updates. I had used semanage to add a filecontext which would cause
> particular directories to be labeled with the type httpd_sys_script_rw_t
> which is a customizable type.
>
> The directory I was trying to label was under /var/www which has a
> context of httpd_sys_content_t which is also a customizabile type. So
> why is it that new directories under /var/www are automatically labeled
> with the httpd_sys_content_t type, but things that match my added
> filecontext don't automatically get labeled with httpd_sys_script_rw_t,
> and require the use of restorecon -F?
>
> Here's the specifics:
>
> The command I used to add my local context:
> semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> "/var/www/wikis/[^/]+/images"

This adds the entry to your file contexts configuration, a mapping from
pathname regexes to file security contexts that is used to determine the
right security context for a file when it is first installed (e.g. by
rpm) or when you want to reset the filesystem to its initial state (e.g.
via restorecon or fixfiles relabel), but not at runtime by the kernel.

> I then create a directory that matches the above pattern:
> mkdir -p /var/www/wikis/foo/images
>
> The directory is created, but has the type httpd_sys_content_t.

For runtime file creation, the kernel labels new files based on either:
1) a type transition rule in the policy if one exists for the creating
process' domain, the parent directory type, and the new file's security
class (object type - e.g. regular file, directory, symlink, device
node), or
2) the parent directory's type if no type transition rule matches.

The file contexts configuration is not used by the kernel and is only
supposed to represent the initial install-time state of the filesystem.

> Now I use restorecon to relabel:
> restorecon -vv /var/www/wikis/foo/images

restorecon does consult the file contexts configuration.

> This gives me the following message:
> /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> admin to system_u:object_r:httpd_sys_content_t:s0

This is because the existing type on the file is a customizable type and
thus may have been manually set by the admin via chcon - this approach
predates the introduction of semanage and as Dan said, customizable
types has been dropped in rawhide / Fedora 9, so you won't encounter
this problem going forward there.

> Now run restorecon with the force flag:
> restorecon -vv -F /var/www/wikis/foo/images
>
> Gives this message:
> restorecon reset /var/www/wikis/foo/images context
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
>
> Since both types are in the customizable_types file, why is one
> automatically used, and the other only used when forced?

If by automatically used, you mean at new file creation, neither file
contexts nor customizable types has anything to do with that. If you
mean by restorecon, the restorecon logic is simply to not relabel a file
that has a customizable type since it may have been manually set by the
admin.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 03-18-2008 12:45 PM

Question on semanage fcontext -a
 
On Mon, 2008-03-17 at 16:16 -0400, Tim Taylor wrote:
> On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> >
> > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > > ttaylor wrote:
> > > > Does anything special have to be done to cause SELinux to start
> > using newly
> > > > added local filecontexts? What I'm finding is that if I use
> > semanage
> > > > fcontext -a to add a local filecontext definition, it is not used
> > by
> > > > restorecon unless I specify the "-F" option. Without the "-F"
> > option,
> > > > restorecon -vv <file_path> gives the following message:
> > > >
> > > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > > <current_context>
> > > >
> > > > but restorecon -vv -F <file_path> gives this:
> > > >
> > > > /sbin/restorecon reset <file_path> context
> > <current_context>-><new_context>
> > >
> > > This is probably because <current_context> is a customizable type
> > like
> > > httpd_sys_content_t; objects with these types don't get reset by
> > > restorecon unless you use -F. I'm not sure how to find out which
> > types
> > > are customizable off the top of my head though.
> >
> > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> >
> > Dan - I thought we had discussed reducing that set significantly since
> > it was originally to avoid clobbering locally-set types upon a
> > filesystem relabel prior to the introduction of semanage, but with
> > users
> > now able to add local file contexts easily via semanage fcontext -a,
> > it
> > isn't as necessary.
>
> This is exactly my situation. I am using Fedora 8 with all the latest
> updates. I had used semanage to add a filecontext which would cause
> particular directories to be labeled with the type httpd_sys_script_rw_t
> which is a customizable type.
>
> The directory I was trying to label was under /var/www which has a
> context of httpd_sys_content_t which is also a customizabile type. So
> why is it that new directories under /var/www are automatically labeled
> with the httpd_sys_content_t type, but things that match my added
> filecontext don't automatically get labeled with httpd_sys_script_rw_t,
> and require the use of restorecon -F?
>
> Here's the specifics:
>
> The command I used to add my local context:
> semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> "/var/www/wikis/[^/]+/images"

This adds the entry to your file contexts configuration, a mapping from
pathname regexes to file security contexts that is used to determine the
right security context for a file when it is first installed (e.g. by
rpm) or when you want to reset the filesystem to its initial state (e.g.
via restorecon or fixfiles relabel), but not at runtime by the kernel.

> I then create a directory that matches the above pattern:
> mkdir -p /var/www/wikis/foo/images
>
> The directory is created, but has the type httpd_sys_content_t.

For runtime file creation, the kernel labels new files based on either:
1) a type transition rule in the policy if one exists for the creating
process' domain, the parent directory type, and the new file's security
class (object type - e.g. regular file, directory, symlink, device
node), or
2) the parent directory's type if no type transition rule matches.

The file contexts configuration is not used by the kernel and is only
supposed to represent the initial install-time state of the filesystem.

> Now I use restorecon to relabel:
> restorecon -vv /var/www/wikis/foo/images

restorecon does consult the file contexts configuration.

> This gives me the following message:
> /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> admin to system_u:object_r:httpd_sys_content_t:s0

This is because the existing type on the file is a customizable type and
thus may have been manually set by the admin via chcon - this approach
predates the introduction of semanage and as Dan said, customizable
types has been dropped in rawhide / Fedora 9, so you won't encounter
this problem going forward there.

> Now run restorecon with the force flag:
> restorecon -vv -F /var/www/wikis/foo/images
>
> Gives this message:
> restorecon reset /var/www/wikis/foo/images context
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
>
> Since both types are in the customizable_types file, why is one
> automatically used, and the other only used when forced?

If by automatically used, you mean at new file creation, neither file
contexts nor customizable types has anything to do with that. If you
mean by restorecon, the restorecon logic is simply to not relabel a file
that has a customizable type since it may have been manually set by the
admin.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Tim Taylor 03-18-2008 05:38 PM

Question on semanage fcontext -a
 
On Tue, 2008-03-18 at 09:45 -0400, Stephen Smalley wrote:
>
> On Mon, 2008-03-17 at 16:16 -0400, Tim Taylor wrote:
> > On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> > >
> > > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > > > ttaylor wrote:
> > > > > Does anything special have to be done to cause SELinux to
> start
> > > using newly
> > > > > added local filecontexts? What I'm finding is that if I use
> > > semanage
> > > > > fcontext -a to add a local filecontext definition, it is not
> used
> > > by
> > > > > restorecon unless I specify the "-F" option. Without the "-F"
> > > option,
> > > > > restorecon -vv <file_path> gives the following message:
> > > > >
> > > > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > > > <current_context>
> > > > >
> > > > > but restorecon -vv -F <file_path> gives this:
> > > > >
> > > > > /sbin/restorecon reset <file_path> context
> > > <current_context>-><new_context>
> > > >
> > > > This is probably because <current_context> is a customizable
> type
> > > like
> > > > httpd_sys_content_t; objects with these types don't get reset by
> > > > restorecon unless you use -F. I'm not sure how to find out which
> > > types
> > > > are customizable off the top of my head though.
> > >
> > > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> > >
> > > Dan - I thought we had discussed reducing that set significantly
> since
> > > it was originally to avoid clobbering locally-set types upon a
> > > filesystem relabel prior to the introduction of semanage, but with
> > > users
> > > now able to add local file contexts easily via semanage fcontext
> -a,
> > > it
> > > isn't as necessary.
> >
> > This is exactly my situation. I am using Fedora 8 with all the
> latest
> > updates. I had used semanage to add a filecontext which would cause
> > particular directories to be labeled with the type
> httpd_sys_script_rw_t
> > which is a customizable type.
> >
> > The directory I was trying to label was under /var/www which has a
> > context of httpd_sys_content_t which is also a customizabile type.
> So
> > why is it that new directories under /var/www are automatically
> labeled
> > with the httpd_sys_content_t type, but things that match my added
> > filecontext don't automatically get labeled with
> httpd_sys_script_rw_t,
> > and require the use of restorecon -F?
> >
> > Here's the specifics:
> >
> > The command I used to add my local context:
> > semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> > "/var/www/wikis/[^/]+/images"
>
> This adds the entry to your file contexts configuration, a mapping
> from
> pathname regexes to file security contexts that is used to determine
> the
> right security context for a file when it is first installed (e.g. by
> rpm) or when you want to reset the filesystem to its initial state
> (e.g.
> via restorecon or fixfiles relabel), but not at runtime by the kernel.
>
> > I then create a directory that matches the above pattern:
> > mkdir -p /var/www/wikis/foo/images
> >
> > The directory is created, but has the type httpd_sys_content_t.
>
> For runtime file creation, the kernel labels new files based on
> either:
> 1) a type transition rule in the policy if one exists for the creating
> process' domain, the parent directory type, and the new file's
> security
> class (object type - e.g. regular file, directory, symlink, device
> node), or
> 2) the parent directory's type if no type transition rule matches.
>
> The file contexts configuration is not used by the kernel and is only
> supposed to represent the initial install-time state of the
> filesystem.
>
> > Now I use restorecon to relabel:
> > restorecon -vv /var/www/wikis/foo/images
>
> restorecon does consult the file contexts configuration.
>
> > This gives me the following message:
> > /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> > admin to system_u:object_r:httpd_sys_content_t:s0
>
> This is because the existing type on the file is a customizable type
> and
> thus may have been manually set by the admin via chcon - this approach
> predates the introduction of semanage and as Dan said, customizable
> types has been dropped in rawhide / Fedora 9, so you won't encounter
> this problem going forward there.
>
> > Now run restorecon with the force flag:
> > restorecon -vv -F /var/www/wikis/foo/images
> >
> > Gives this message:
> > restorecon reset /var/www/wikis/foo/images context
> >
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
> >
> > Since both types are in the customizable_types file, why is one
> > automatically used, and the other only used when forced?
>
> If by automatically used, you mean at new file creation, neither file
> contexts nor customizable types has anything to do with that. If you
> mean by restorecon, the restorecon logic is simply to not relabel a
> file
> that has a customizable type since it may have been manually set by
> the
> admin.

Thanks. The feedback I've gotten has greatly clarified my understanding
of how SELinux labeling works.

- Tim

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Tim Taylor 03-18-2008 05:38 PM

Question on semanage fcontext -a
 
On Tue, 2008-03-18 at 09:45 -0400, Stephen Smalley wrote:
>
> On Mon, 2008-03-17 at 16:16 -0400, Tim Taylor wrote:
> > On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> > >
> > > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > > > ttaylor wrote:
> > > > > Does anything special have to be done to cause SELinux to
> start
> > > using newly
> > > > > added local filecontexts? What I'm finding is that if I use
> > > semanage
> > > > > fcontext -a to add a local filecontext definition, it is not
> used
> > > by
> > > > > restorecon unless I specify the "-F" option. Without the "-F"
> > > option,
> > > > > restorecon -vv <file_path> gives the following message:
> > > > >
> > > > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > > > <current_context>
> > > > >
> > > > > but restorecon -vv -F <file_path> gives this:
> > > > >
> > > > > /sbin/restorecon reset <file_path> context
> > > <current_context>-><new_context>
> > > >
> > > > This is probably because <current_context> is a customizable
> type
> > > like
> > > > httpd_sys_content_t; objects with these types don't get reset by
> > > > restorecon unless you use -F. I'm not sure how to find out which
> > > types
> > > > are customizable off the top of my head though.
> > >
> > > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> > >
> > > Dan - I thought we had discussed reducing that set significantly
> since
> > > it was originally to avoid clobbering locally-set types upon a
> > > filesystem relabel prior to the introduction of semanage, but with
> > > users
> > > now able to add local file contexts easily via semanage fcontext
> -a,
> > > it
> > > isn't as necessary.
> >
> > This is exactly my situation. I am using Fedora 8 with all the
> latest
> > updates. I had used semanage to add a filecontext which would cause
> > particular directories to be labeled with the type
> httpd_sys_script_rw_t
> > which is a customizable type.
> >
> > The directory I was trying to label was under /var/www which has a
> > context of httpd_sys_content_t which is also a customizabile type.
> So
> > why is it that new directories under /var/www are automatically
> labeled
> > with the httpd_sys_content_t type, but things that match my added
> > filecontext don't automatically get labeled with
> httpd_sys_script_rw_t,
> > and require the use of restorecon -F?
> >
> > Here's the specifics:
> >
> > The command I used to add my local context:
> > semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> > "/var/www/wikis/[^/]+/images"
>
> This adds the entry to your file contexts configuration, a mapping
> from
> pathname regexes to file security contexts that is used to determine
> the
> right security context for a file when it is first installed (e.g. by
> rpm) or when you want to reset the filesystem to its initial state
> (e.g.
> via restorecon or fixfiles relabel), but not at runtime by the kernel.
>
> > I then create a directory that matches the above pattern:
> > mkdir -p /var/www/wikis/foo/images
> >
> > The directory is created, but has the type httpd_sys_content_t.
>
> For runtime file creation, the kernel labels new files based on
> either:
> 1) a type transition rule in the policy if one exists for the creating
> process' domain, the parent directory type, and the new file's
> security
> class (object type - e.g. regular file, directory, symlink, device
> node), or
> 2) the parent directory's type if no type transition rule matches.
>
> The file contexts configuration is not used by the kernel and is only
> supposed to represent the initial install-time state of the
> filesystem.
>
> > Now I use restorecon to relabel:
> > restorecon -vv /var/www/wikis/foo/images
>
> restorecon does consult the file contexts configuration.
>
> > This gives me the following message:
> > /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> > admin to system_u:object_r:httpd_sys_content_t:s0
>
> This is because the existing type on the file is a customizable type
> and
> thus may have been manually set by the admin via chcon - this approach
> predates the introduction of semanage and as Dan said, customizable
> types has been dropped in rawhide / Fedora 9, so you won't encounter
> this problem going forward there.
>
> > Now run restorecon with the force flag:
> > restorecon -vv -F /var/www/wikis/foo/images
> >
> > Gives this message:
> > restorecon reset /var/www/wikis/foo/images context
> >
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
> >
> > Since both types are in the customizable_types file, why is one
> > automatically used, and the other only used when forced?
>
> If by automatically used, you mean at new file creation, neither file
> contexts nor customizable types has anything to do with that. If you
> mean by restorecon, the restorecon logic is simply to not relabel a
> file
> that has a customizable type since it may have been manually set by
> the
> admin.

Thanks. The feedback I've gotten has greatly clarified my understanding
of how SELinux labeling works.

- Tim

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 05:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.