Le mardi 20 novembre 2007 à 08:39 -0500, Daniel J Walsh a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Laurent Jacquot wrote:
>> Hello,
>> I am sure this is a FAQ or a feature, but I want to know how to work
>> around:
>>
>> I have cxoffice installed in my F8 home dir and I want some lib labeled
>> as textrel_shlib_t, but I cannot override the default user_home_t home
>> label via a policy module.
>>
>> NOTE1 it works if the directory is not under /home
>> NOTE2 there is nothing in the logs if it fails
>> NOTE3 It has been so since the introduction of modular policy in selinux
>>
>> What is what I have tried so far in F8.
>> [root@jack sel]#cat local.fc
>> #cxoffice
>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
>> system_u:object_r:textrel_shlib_t:s0
>>
>> /home/alex/cxoffice/lib/wine/kernel32.dll.so --
>> system_u:object_r:textrel_shlib_t:s0
>>
>> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
>> [root@jack sel]#semodule -i local.pp
>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> -rwxr-xr-x alex alex
>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> -rwxr-xr-x alex alex
>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>>
>>
>> (If i use the system-config-selinux UI, I can see the new entry in the
>> tab context among all the regexp)
>>
>> Using semanage, it works:
>> [root@jack sel]#semodule -r local
>> [root@jack sel]#semanage fcontext -a -t
>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> -rwxr-xr-x alex alex
>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
>> -rwxr-xr-x alex alex
>> system_u:object_r:textrel_shlib_t:s0
/home/alex/cxoffice/lib/wine/kernel32.dll.so
>>
>> and the custom rule appears in system-config-selinux UI at the end of
>> the policy.
>>
>> So how do I have my module install my contexts the same way as semanage?
>> Should I bugzilla it?
>>
>> BTW, how do system-config-selinux browse the file context policy? Is it
>> possible to see also the rules and type definition?
>>
>> TIA
>> jk
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> This looks like a bug in libsemanage or in the file context labeling
> algorithm.
>
> I believe matchpatcon is reading in file_contexts,
> file_contexts.homedirs, file_contexts.local and taking the last entry.
>
>
> So using semodule to add a pp file updates the file_contexts file, in
> which case the homedirs is overriding. semanage fcontext updates the
> file_contexts.local.
>
>
> If you tried
>
> HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
> system_u:object_r:textrel_shlib_t:s0
>
> It should update the file_context.homedirs file.
>
>
I confirm this works. Thanks!
Should I bugzilla it or is it the way it should be?
jk
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can bugzilla it,
but it probably should be brought up for discussion
on the <selinux(a)tycho.nsa.gov> list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS
8zDcYbim3RQLRTEHILlfEtw=
=LxQ0
-----END PGP SIGNATURE-----