Hello, I am sure this is a FAQ or a feature, but I want to know how to work around:
I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module.
NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux
What is what I have tried so far in F8. [root@jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
/home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0
[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root@jack sel]#semodule -i local.pp [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
(If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp)
Using semanage, it works: [root@jack sel]#semodule -r local [root@jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
and the custom rule appears in system-config-selinux UI at the end of the policy.
So how do I have my module install my contexts the same way as semanage? Should I bugzilla it?
BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition?
TIA jk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Laurent Jacquot wrote:
Hello, I am sure this is a FAQ or a feature, but I want to know how to work around:
I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module.
NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux
What is what I have tried so far in F8. [root@jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
/home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0
[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root@jack sel]#semodule -i local.pp [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
(If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp)
Using semanage, it works: [root@jack sel]#semodule -r local [root@jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
and the custom rule appears in system-config-selinux UI at the end of the policy.
So how do I have my module install my contexts the same way as semanage? Should I bugzilla it?
BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition?
TIA jk
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a bug in libsemanage or in the file context labeling algorithm.
I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry.
So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local.
If you tried
HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
It should update the file_context.homedirs file.
Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Laurent Jacquot wrote:
Hello, I am sure this is a FAQ or a feature, but I want to know how to work around:
I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module.
NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux
What is what I have tried so far in F8. [root@jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
/home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0
[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root@jack sel]#semodule -i local.pp [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
(If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp)
Using semanage, it works: [root@jack sel]#semodule -r local [root@jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
and the custom rule appears in system-config-selinux UI at the end of the policy.
So how do I have my module install my contexts the same way as semanage? Should I bugzilla it?
BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition?
TIA jk
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a bug in libsemanage or in the file context labeling algorithm.
I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry.
So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local.
If you tried
HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
It should update the file_context.homedirs file.
I confirm this works. Thanks! Should I bugzilla it or is it the way it should be?
jk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Laurent Jacquot wrote:
Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Laurent Jacquot wrote:
Hello, I am sure this is a FAQ or a feature, but I want to know how to work around:
I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module.
NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux
What is what I have tried so far in F8. [root@jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
/home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0
[root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root@jack sel]#semodule -i local.pp [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
(If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp)
Using semanage, it works: [root@jack sel]#semodule -r local [root@jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
and the custom rule appears in system-config-selinux UI at the end of the policy.
So how do I have my module install my contexts the same way as semanage? Should I bugzilla it?
BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition?
TIA jk
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a bug in libsemanage or in the file context labeling algorithm.
I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry.
So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local.
If you tried
HOME_DIR/.cxoffice/dotwine/drive_c(/.*)?/.*.exe -- system_u:object_r:textrel_shlib_t:s0
It should update the file_context.homedirs file.
I confirm this works. Thanks! Should I bugzilla it or is it the way it should be?
jk
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can bugzilla it, but it probably should be brought up for discussion on the selinux@tycho.nsa.gov list.
selinux@lists.fedoraproject.org