FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-05-2011, 02:49 AM
Robin Lee Powell
 
Default Ordering of file context choices?

I have a custom module installed that is supposed to set file
contexts for some stuff in a user's homedir (the CGI application I
mentioned in my last email, that I want the user to be able to
administer):

/etc/selinux/targeted/modules/active/file_contexts.template
1953:/home/melbi/bpfk_corpus(/.*)? system_ubject_r:lojban_corpus_t:s0
2179:/home/melbi/public_html/cgi-bin/corpus.cgi system_ubject_r:lojban_corpus_t:s0

/etc/selinux/targeted/modules/active/file_contexts
1883:/home/melbi/bpfk_corpus(/.*)? system_ubject_r:lojban_corpus_t:s0
2101:/home/melbi/public_html/cgi-bin/corpus.cgi system_ubject_r:lojban_corpus_t:s0

/etc/selinux/targeted/contexts/files/file_contexts
1883:/home/melbi/bpfk_corpus(/.*)? system_ubject_r:lojban_corpus_t:s0
2101:/home/melbi/public_html/cgi-bin/corpus.cgi system_ubject_r:lojban_corpus_t:s0

This doesn't appear to actually *work*; as far as I can tell the
contexts for the home directory itself are winning:

rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus
drwxrwxrwx. melbi melbi user_ubject_r:user_home_t:s0 files/
-rw-r--r--. melbi melbi user_ubject_r:user_home_t:s0 selmaho.txt
drwxrwxrwx. melbi melbi user_ubject_r:user_home_t:s0 tmp/
-rw-r--r--. apache apache user_ubject_r:user_home_t:s0 urls.db
-rw-rw-rw-. melbi melbi user_ubject_r:user_home_t:s0 urls.not.db

(that's after a restorecon)

Can I do anything to change that?

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 02:13 PM
Daniel J Walsh
 
Default Ordering of file context choices?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/04/2011 10:49 PM, Robin Lee Powell wrote:
> I have a custom module installed that is supposed to set file
> contexts for some stuff in a user's homedir (the CGI application I
> mentioned in my last email, that I want the user to be able to
> administer):
>
> /etc/selinux/targeted/modules/active/file_contexts.template
> 1953:/home/melbi/bpfk_corpus(/.*)?
> system_ubject_r:lojban_corpus_t:s0
> 2179:/home/melbi/public_html/cgi-bin/corpus.cgi
> system_ubject_r:lojban_corpus_t:s0
>
> /etc/selinux/targeted/modules/active/file_contexts
> 1883:/home/melbi/bpfk_corpus(/.*)?
> system_ubject_r:lojban_corpus_t:s0
> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> system_ubject_r:lojban_corpus_t:s0
>
> /etc/selinux/targeted/contexts/files/file_contexts
> 1883:/home/melbi/bpfk_corpus(/.*)?
> system_ubject_r:lojban_corpus_t:s0
> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> system_ubject_r:lojban_corpus_t:s0
>
> This doesn't appear to actually *work*; as far as I can tell the
> contexts for the home directory itself are winning:
>
> rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus
> drwxrwxrwx. melbi melbi user_ubject_r:user_home_t:s0 files/
> -rw-r--r--. melbi melbi user_ubject_r:user_home_t:s0
> selmaho.txt drwxrwxrwx. melbi melbi
> user_ubject_r:user_home_t:s0 tmp/ -rw-r--r--. apache apache
> user_ubject_r:user_home_t:s0 urls.db -rw-rw-rw-. melbi melbi
> user_ubject_r:user_home_t:s0 urls.not.db
>
> (that's after a restorecon)
>
> Can I do anything to change that?
>
> -Robin
>


HOMEDIR takes precedence over modules policy.

Try

HOME_DIR/bpfk_corpus(/.*)?
gen_context(system_ubject_r:lojban_corpus_t,s0)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mKpEACgkQrlYvE4MpobOkmwCfURQMg65Hb4 F+1+oEPk6EKow5
n/IAn3VtxBF0M2Zmn4Y8aIRzv6mxa17s
=0RoL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 05:10 PM
Robin Lee Powell
 
Default Ordering of file context choices?

On Tue, Sep 06, 2011 at 10:13:37AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/04/2011 10:49 PM, Robin Lee Powell wrote:
> > I have a custom module installed that is supposed to set file
> > contexts for some stuff in a user's homedir (the CGI application I
> > mentioned in my last email, that I want the user to be able to
> > administer):
> >
> > /etc/selinux/targeted/modules/active/file_contexts.template
> > 1953:/home/melbi/bpfk_corpus(/.*)?
> > system_ubject_r:lojban_corpus_t:s0
> > 2179:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_ubject_r:lojban_corpus_t:s0
> >
> > /etc/selinux/targeted/modules/active/file_contexts
> > 1883:/home/melbi/bpfk_corpus(/.*)?
> > system_ubject_r:lojban_corpus_t:s0
> > 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_ubject_r:lojban_corpus_t:s0
> >
> > /etc/selinux/targeted/contexts/files/file_contexts
> > 1883:/home/melbi/bpfk_corpus(/.*)?
> > system_ubject_r:lojban_corpus_t:s0
> > 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_ubject_r:lojban_corpus_t:s0
> >
> > This doesn't appear to actually *work*; as far as I can tell the
> > contexts for the home directory itself are winning:
> >
> > rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus
> > drwxrwxrwx. melbi melbi user_ubject_r:user_home_t:s0 files/
> > -rw-r--r--. melbi melbi user_ubject_r:user_home_t:s0
> > selmaho.txt drwxrwxrwx. melbi melbi
> > user_ubject_r:user_home_t:s0 tmp/ -rw-r--r--. apache apache
> > user_ubject_r:user_home_t:s0 urls.db -rw-rw-rw-. melbi melbi
> > user_ubject_r:user_home_t:s0 urls.not.db
> >
> > (that's after a restorecon)
> >
> > Can I do anything to change that?
> >
> > -Robin
> >
>
>
> HOMEDIR takes precedence over modules policy.
>
> Try
>
> HOME_DIR/bpfk_corpus(/.*)?
> gen_context(system_ubject_r:lojban_corpus_t,s0)

Which will affect everybody, which is kind of icky. Better than
nothing, I guess. Thanks.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 05:41 PM
Daniel J Walsh
 
Default Ordering of file context choices?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 01:10 PM, Robin Lee Powell wrote:
> On Tue, Sep 06, 2011 at 10:13:37AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/04/2011 10:49 PM, Robin Lee Powell wrote:
>>> I have a custom module installed that is supposed to set file
>>> contexts for some stuff in a user's homedir (the CGI
>>> application I mentioned in my last email, that I want the user
>>> to be able to administer):
>>>
>>> /etc/selinux/targeted/modules/active/file_contexts.template
>>> 1953:/home/melbi/bpfk_corpus(/.*)?
>>> system_ubject_r:lojban_corpus_t:s0
>>> 2179:/home/melbi/public_html/cgi-bin/corpus.cgi
>>> system_ubject_r:lojban_corpus_t:s0
>>>
>>> /etc/selinux/targeted/modules/active/file_contexts
>>> 1883:/home/melbi/bpfk_corpus(/.*)?
>>> system_ubject_r:lojban_corpus_t:s0
>>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
>>> system_ubject_r:lojban_corpus_t:s0
>>>
>>> /etc/selinux/targeted/contexts/files/file_contexts
>>> 1883:/home/melbi/bpfk_corpus(/.*)?
>>> system_ubject_r:lojban_corpus_t:s0
>>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
>>> system_ubject_r:lojban_corpus_t:s0
>>>
>>> This doesn't appear to actually *work*; as far as I can tell
>>> the contexts for the home directory itself are winning:
>>>
>>> rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus drwxrwxrwx. melbi
>>> melbi user_ubject_r:user_home_t:s0 files/ -rw-r--r--.
>>> melbi melbi user_ubject_r:user_home_t:s0 selmaho.txt
>>> drwxrwxrwx. melbi melbi user_ubject_r:user_home_t:s0 tmp/
>>> -rw-r--r--. apache apache user_ubject_r:user_home_t:s0
>>> urls.db -rw-rw-rw-. melbi melbi user_ubject_r:user_home_t:s0
>>> urls.not.db
>>>
>>> (that's after a restorecon)
>>>
>>> Can I do anything to change that?
>>>
>>> -Robin
>>>
>>
>>
>> HOMEDIR takes precedence over modules policy.
>>
>> Try
>>
>> HOME_DIR/bpfk_corpus(/.*)?
>> gen_context(system_ubject_r:lojban_corpus_t,s0)
>
> Which will affect everybody, which is kind of icky. Better than
> nothing, I guess. Thanks.
>
> -Robin
>

I am going to write a blog on this.

Your other option is to use semanage rather then a module. Search
order on matching is

semanage fcontext
MODULECONTAINING HOMEDIR
MODULE containing file context.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mW0cACgkQrlYvE4MpobNwXACeIGp7XkqrjF DPkVOtTJBl7h7i
31gAoJKJtwIEBnVPNOJ/gFUAAo5FjT/+
=5T0A
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 05:44 PM
Robin Lee Powell
 
Default Ordering of file context choices?

On Tue, Sep 06, 2011 at 01:41:27PM -0400, Daniel J Walsh wrote:
>
> I am going to write a blog on this.

Oh that would be lovely!

> Your other option is to use semanage rather then a module. Search
> order on matching is
>
> semanage fcontext
> MODULECONTAINING HOMEDIR
> MODULE containing file context.

The problem there is that semanage has no concept of "I want this to
go here in the ordering"; it's last-come-first-served, which makes
it really hard to deal with from Puppet, which is how I roll. If
there was a way to say "insert this fcontext before this other one",
that would fix it, but I don't see a way to do that.

The nice thing about having it in a module is that I can specify the
order.

I suppose I could put things in
/etc/selinux/targeted/contexts/files/file_contexts.local directly?,
to handle the ordering, but it says not to.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 05:53 PM
Daniel J Walsh
 
Default Ordering of file context choices?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 01:44 PM, Robin Lee Powell wrote:
> On Tue, Sep 06, 2011 at 01:41:27PM -0400, Daniel J Walsh wrote:
>>
>> I am going to write a blog on this.
>
> Oh that would be lovely!
>
>> Your other option is to use semanage rather then a module.
>> Search order on matching is
>>
>> semanage fcontext MODULECONTAINING HOMEDIR MODULE containing file
>> context.
>
> The problem there is that semanage has no concept of "I want this
> to go here in the ordering"; it's last-come-first-served, which
> makes it really hard to deal with from Puppet, which is how I roll.
> If there was a way to say "insert this fcontext before this other
> one", that would fix it, but I don't see a way to do that.
>
> The nice thing about having it in a module is that I can specify
> the order.
>
> I suppose I could put things in
> /etc/selinux/targeted/contexts/files/file_contexts.local
> directly?, to handle the ordering, but it says not to.
>
> -Robin
>

As long as this is between you and me :^).

You could put your changes in
/etc/selinux/targeted/modules/active/file_contexts.local

and

/etc/selinux/targeted/contexts/files/file_contexts.local

Then you would be fine and a selinux-policy update would not destroy
your local changes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mXiUACgkQrlYvE4MpobMYfACgugAgvuK6p/TCYzO9wjWAWiMs
op4Anj1Ea6agR7lMEEq/pMEQAnACFZ3g
=g7Us
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-06-2011, 10:20 PM
Robin Lee Powell
 
Default Ordering of file context choices?

On Tue, Sep 06, 2011 at 01:53:41PM -0400, Daniel J Walsh wrote:
>
> As long as this is between you and me :^).
>
> You could put your changes in
> /etc/selinux/targeted/modules/active/file_contexts.local
>
> and
>
> /etc/selinux/targeted/contexts/files/file_contexts.local
>
> Then you would be fine and a selinux-policy update would not
> destroy your local changes.

OK, thanks.

If y'all could consider making semanage have a sense of ordering,
though, I'd sure appreciate it.

Or maybe a /etc/selinux/file_context.d/ (or similar) dir, that reads
the files in it in ls order. That'd be *sweet*.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 11:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org