Create new types in modules?

Stephen Smalley sds at
Fri Apr 14 13:27:47 UTC 2006

On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote:
> > Excellent - thanks.
> >
> > Now why isn't this doing what I expect:
> >
> > # semanage fcontext -a -t mock_root_t \
> >     /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
> > # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> > # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> > drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> > drwxr-sr-x  root     mock     root:object_r:usr_t              root
> > drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
> > # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
> > restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root 
> > context root:object_r:usr_t->system_u:object_r:mock_root_t
> > # ls -lZ  /usr/share/fsdata/mock/redhat-8.0-i386-core
> > drwxrwsr-x  paul     mock     user_u:object_r:usr_t            result
> > drwxr-sr-x  root     mock     system_u:object_r:mock_root_t    root
> > drwxrwsr-x  paul     mock     user_u:object_r:usr_t            state
> >
> > Why doesn't the directory 
> > /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type 
> > mock_root_t in the first place rather than having to do the restorecon 
> > on it?
> >
> You need to tell mkdir which context to create it with or write a 
> transition rule in policy that says when context ABC_t creates files in 
> directories labeled DEF_T, create them GEH_T.
> You can also look ad mkdir -Z.

A bit of explanation:  The file contexts configuration is only intended
to establish the initial state of the filesystem, for use by programs
like rpm and install, based on some external knowledge about the
security properties of files and some assumptions about secure creation
and distribution of the packages in the first place.  For normal file
creation at runtime, we don't want to rely on anything path-based at all
because that doesn't tell us anything about the real security properties
of the object; we want to label the files in accordance with the
security properties of their creator, related objects (e.g. parent
directory), and the runtime kernel policy (type transition rules).  So a
directory created by mkdir isn't going to automatically pick up the
context defined in file_contexts.  The user can force it to that context
(if allowed to do so by policy) via mkdir -Z or by running restorecon
after the fact, but that does require explicit action by the user, and
won't be allowed under some policies.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list