idea: customizable_types.local

Moray Henderson (ICT) Moray.Henderson at ict.om.org
Wed Nov 11 12:09:14 UTC 2009 

Dominick Wrote:
>Now we have restorecond -u running and it can be a pain. especially for
>people that write their own custom modules.
>
>for example i have a backup script that can write anywhere in
>user_home_t. be it ~ or ~/Downloads.
>
>It write the backups with a special type, But restorecond -u resets it
>to user_home_t even before its finished writing ;)
>
>Here comes customizable_types in. This can be used to add the type to it
>so that restorecond -u doesnt try to reset it.
>
>Thats cool, but what if you update your selinux policy? will
>customizable_types be overwritten? Maybe it would be good to have a
>customizable_types.local so that you can add your customizable types
>there and not have to worry about policy updates or restorecond -u.
>
>What do you think about this idea?

I remember how I discovered customizable_types in the first place - I wanted files to be reset from their old setting to the new one, and the command that was supposed to do it updated every file except the ones I particularly needed.  I had set everything correctly in file_contexts - then eventually discovered that there was *another* file that told the system to disregard file_contexts for certain file contexts.  I remember thinking - WHY?  Isn't file_contexts supposed to be the place where you configure file contexts?

Call me old-fashioned, but as a solution for your problem, I would recommend adding file context instructions to your policy so that restorecond sets your backup files to the correct context.

Adding a new customizable file may sound like a neat solution, but in practice it would mean that someone trying to debug "Why doesn't this file have the right context?" now has to know about three different places that the problem might be coming from.

By the way, I also agree with Matthew Ife's thread from last month about the need for good, practical documentation on how to use SELinux in real system administration rather than conceptual theory.  It's especially important for those who learned the theory under an older version, but need to do things with the new.  I had such a struggle with customizable_types because it wasn't there in RHEL 4.


Moray.
"To err is human.  To purr, feline"

More information about the fedora-selinux-list mailing list