-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/27/2012 04:10 PM, goeran@uddeborg.se wrote:
I'm trying to set up F17 SELinux to accept the Swedish electronic identity system called "BankID". I had it working under F16 with only a few file context specifications for its libraries. (They need textrel_shlib_t). But it seems like the policy has been tightened up a bit in F17, which made some more tunings necessary. And I fail on one of them.
This thing runs as a browser plugin, which starts a program, and creates a few files in the user's home directory. My question is how to define the context for these files. BankID creates a file called ".personal-<username>" and a directory tree ".personal/...". I added a file context like this with semanage:
/home/[^/]*/.personal.* all files system_u:object_r:mozilla_home_t:s0
After relabeling things in the .personal tree gets the mozilla_home_t, but the file .personal-<username> directly in the home directory doesn't. If it exists, it gets the right context when I do restorecon. But it is created and removed each time the plugin is run, and the next time the file is created, it gets user_home_dir_t. Which the plugin in the mozilla_plugin_t context isn't allowed to access, of course.
What am I doing wrong?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Can you get .personal-username into the .personal directory?