Create new types in modules?
Paul Howarth
paul at city-fan.org
Wed Apr 19 15:41:42 UTC 2006
Stephen Smalley wrote:
> On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote:
>>> Excellent - thanks.
>>>
>>> Now why isn't this doing what I expect:
>>>
>>> # semanage fcontext -a -t mock_root_t \
>>> /usr/share/fsdata/mock/'[^/]*/root(/.*)?'
>>> # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root
>>> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
>>> drwxrwsr-x paul mock user_u:object_r:usr_t result
>>> drwxr-sr-x root mock root:object_r:usr_t root
>>> drwxrwsr-x paul mock user_u:object_r:usr_t state
>>> # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root
>>> restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root
>>> context root:object_r:usr_t->system_u:object_r:mock_root_t
>>> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core
>>> drwxrwsr-x paul mock user_u:object_r:usr_t result
>>> drwxr-sr-x root mock system_u:object_r:mock_root_t root
>>> drwxrwsr-x paul mock user_u:object_r:usr_t state
>>>
>>> Why doesn't the directory
>>> /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type
>>> mock_root_t in the first place rather than having to do the restorecon
>>> on it?
>>>
>> You need to tell mkdir which context to create it with or write a
>> transition rule in policy that says when context ABC_t creates files in
>> directories labeled DEF_T, create them GEH_T.
>>
>> You can also look ad mkdir -Z.
>
> A bit of explanation: The file contexts configuration is only intended
> to establish the initial state of the filesystem, for use by programs
> like rpm and install, based on some external knowledge about the
> security properties of files and some assumptions about secure creation
> and distribution of the packages in the first place. For normal file
> creation at runtime, we don't want to rely on anything path-based at all
> because that doesn't tell us anything about the real security properties
> of the object; we want to label the files in accordance with the
> security properties of their creator, related objects (e.g. parent
> directory), and the runtime kernel policy (type transition rules). So a
> directory created by mkdir isn't going to automatically pick up the
> context defined in file_contexts. The user can force it to that context
> (if allowed to do so by policy) via mkdir -Z or by running restorecon
> after the fact, but that does require explicit action by the user, and
> won't be allowed under some policies.
OK, what I've got now is as follows:
mock.if:
########################################
## <summary>
## Create objects in the /var/lib/mock directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
#
interface(`files_var_lib_mock_filetrans',`
gen_require(`
type var_t, var_lib_t, mock_var_lib_t;
')
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir search_dir_perms;
allow $1 mock_var_lib_t:dir rw_dir_perms;
type_transition $1 mock_var_lib_t:$3 $2;
')
mock.fc:
/var/lib/mock(/[^/]*)?
gen_context(system_u:object_r:mock_var_lib_t,s0)
/var/lib/mock/[^/]*/.*
gen_context(system_u:object_r:mock_root_t,s0)
mock.te:
policy_module(mock, 0.5)
require {
type unconfined_t;
};
# New types for mock, used for files
type mock_root_t;
files_type(mock_root_t)
type mock_var_lib_t;
files_type(mock_var_lib_t)
# Type transition needed to ensure roots get created as mock_root_t
files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir })
# Old libraries may need execmod permission
allow unconfined_t mock_root_t:file execmod;
This all seems to work very nicely, provided the module is loaded before
mock is installed so that /var/lib/mock gets created as mock_var_lib_t
Otherwise, a restorecon is needed.
Cheers, Paul.
More information about the fedora-selinux-list
mailing list