I resolved the problem with Dans help by adding a transition from unconfined to vasd_t
Sent from my Windows Phone ________________________________ From: Miroslav Greplmailto:mgrepl@redhat.com Sent: 3/27/2015 2:24 AM To: Jayson Hurstmailto:swazup@hotmail.com; selinux@lists.fedoraproject.orgmailto:selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux file context rules?
On 03/26/2015 08:37 PM, Jayson Hurst wrote:
What I don't understand is why the filetrans doesn't work in the first place?
In my policy I define:
filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
But when my binary that runs under the vasd_t domain as an unconfined user creates a directory in /var/opt/quest/vas/ called vasd it gets created as a vasd_var_t.
The parent directory of /var/opt/quest/vas is labeled as vasd_var_t. Shouldn't the above filetrans_pattern label all new directories under /var/opt/quest/vas as vasd_var_auth_t when they are being created under the vasd_t domain?
It should work. Are you sure you create it under vasd_t? Also you need to have
manage_dirs_pattern(vasd_t, vasd_var_auth_t, vasd_var_auth_t)
Date: Thu, 26 Mar 2015 18:24:01 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/26/2015 04:17 PM, Jayson Hurst wrote:
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
S_IXOTH);
But when the directory is created it ends up with the wrong SELinux
context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly
create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf /etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.