files contexts override via policy module
Laurent Jacquot
jk at lutty.net
Tue Nov 20 14:15:39 UTC 2007
Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Laurent Jacquot wrote:
> > Hello,
> > I am sure this is a FAQ or a feature, but I want to know how to work
> > around:
> >
> > I have cxoffice installed in my F8 home dir and I want some lib labeled
> > as textrel_shlib_t, but I cannot override the default user_home_t home
> > label via a policy module.
> >
> > NOTE1 it works if the directory is not under /home
> > NOTE2 there is nothing in the logs if it fails
> > NOTE3 It has been so since the introduction of modular policy in selinux
> >
> > What is what I have tried so far in F8.
> > [root at jack sel]#cat local.fc
> > #cxoffice
> > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
> > system_u:object_r:textrel_shlib_t:s0
> >
> > /home/alex/cxoffice/lib/wine/kernel32.dll.so --
> > system_u:object_r:textrel_shlib_t:s0
> >
> > [root at jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
> > [root at jack sel]#semodule -i local.pp
> > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> >
> >
> > (If i use the system-config-selinux UI, I can see the new entry in the
> > tab context among all the regexp)
> >
> > Using semanage, it works:
> > [root at jack sel]#semodule -r local
> > [root at jack sel]#semanage fcontext -a -t
> > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> > -rwxr-xr-x alex alex
> > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> >
> > and the custom rule appears in system-config-selinux UI at the end of
> > the policy.
> >
> > So how do I have my module install my contexts the same way as semanage?
> > Should I bugzilla it?
> >
> > BTW, how do system-config-selinux browse the file context policy? Is it
> > possible to see also the rules and type definition?
> >
> > TIA
> > jk
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> This looks like a bug in libsemanage or in the file context labeling
> algorithm.
>
> I believe matchpatcon is reading in file_contexts,
> file_contexts.homedirs, file_contexts.local and taking the last entry.
>
>
> So using semodule to add a pp file updates the file_contexts file, in
> which case the homedirs is overriding. semanage fcontext updates the
> file_contexts.local.
>
>
> If you tried
>
> HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
> system_u:object_r:textrel_shlib_t:s0
>
> It should update the file_context.homedirs file.
>
>
I confirm this works. Thanks!
Should I bugzilla it or is it the way it should be?
jk
More information about the fedora-selinux-list
mailing list