Create new types in modules?

Daniel J Walsh dwalsh at redhat.com
Fri Apr 14 12:54:11 UTC 2006


Paul Howarth wrote:
> Stephen Smalley wrote:
>> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote:
>>>> So, my idea was to define everything under my chroot as a new type,
>>>> mock_root_t, and then have a module like this:
>>>>
>>>> module mock 0.2;
>>>>
>>>> require {
>>>>         class file execmod;
>>>>
>>>>         type unconfined_t;
>>>>         type mock_root_t;
>>>> };
>>> Move the mock_root_t type decl outside of the requires block.
>>
>> Oh, and you should really do it like this (similar to my prior
>> discussion about creating a policy module for the samba issue):
>> $ mkdir mock
>> $ cd mock
>> $ vi mock.te
>> i(nsert)
>> policy_module(mock, 0.2)
>>
>> require {
>>     type unconfined_t;
>> };
>>
>> type mock_root_t;
>> files_type(mock_root_t) # allow this type to be used for files
>> allow unconfined_t mock_root_t:file execmod;
>> :wq
>> $ touch mock.if mock.fc
>> $ make -f /usr/share/selinux/devel/Makefile
>> $ su
>> # semodule -i mock.pp
>
> Excellent - thanks.
>
> Now why isn't this doing what I expect:
>
> # semanage fcontext -a -t mock_root_t \
>     /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
> # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> drwxr-sr-x  root     mock     root:object_r:usr_t              root
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
> # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root 
> context root:object_r:usr_t->system_u:object_r:mock_root_t
> # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> drwxr-sr-x  root     mock     system_u:object_r:mock_root_t    root
> drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
>
> Why doesn't the directory 
> /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type 
> mock_root_t in the first place rather than having to do the restorecon 
> on it?
>
You need to tell mkdir which context to create it with or write a 
transition rule in policy that says when context ABC_t creates files in 
directories labeled DEF_T, create them GEH_T.

You can also look ad mkdir -Z.

> I suspect this is why Aurelien's %pre script in the awstats package 
> failed too.
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list




More information about the fedora-selinux-list mailing list