-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/21/2011 04:15 PM, Andreas Bolatzki wrote:
Hello All
I am working on Fedora 13 and VirtualBox 3.2
Currently I try to apply a selinux module that has been created with
ubuntu to Fedora 13. Because I believe I understand what it should do I
just tried to make it run under F-13.
I have three files: vbox.te, vbox.if, vbox.fc to create a policy module.
After making the vbox.pp I can load it with "semodule -I vbox.pp" and
the module shows up in semodule -l correctly.
The motivation to change these file-contexts is to prepare for correct
type-transition rules so they match the defined rules.
Unfortunately the file-context is never set as needed and as described
in the vbox.fc.
When I check .../file_contexts the correct statements are included but
they happen to appear later than something that was there before... (or
is there if the module is removed):
# matchpathcon /usr/lib/virtualbox/
/usr/lib/virtualbox system_u:object_r:lib_t:s0
# matchpathcon -f f13vbox.fc /usr/lib/virtualbox/
/usr/lib/virtualbox <<none>>
Next I tried to do it with semanage fcontext -t
[~]$ sudo semanage fcontext -a -t vbox_manage_exec_t
/usr/lib/virtualbox/VboxManage
[~]$ ls -lZ /usr/lib/virtualbox/VBoxManage
-rwxr-xr-x. root root system_u:object_r:lib_t:s0
/usr/lib/virtualbox/VBoxManage
That semanage command above only adds a new file
context specification.
You have to restore the context after that to actually apply the
specified file context.
I 'd expect that the lib_t is replaced by vbox_manage_exec_t.
What is the problem? My understanding of what should happen might be
wrong...
Thanks for your answers.
Andreas
---
Conftents of vbox.fc
/dev/vboxdrv
gen_context(system_u:object_r:vbox_run_t,s0)
/dev/vboxnetctl
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox/(.*)
gen_context(system_u:object_r:vbox_run_t,s0)
/usr/lib/virtualbox/VBoxManage --
gen_context(system_u:object_r:vbox_manage_exec_t,s0)
/usr/lib/virtualbox/VBoxXPCOMIPCD --
gen_context(system_u:object_r:vbox_ipc_exec_t,s0)
/usr/lib/virtualbox/VirtualBox --
gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
/usr/lib/virtualbox/VBoxSDL --
gen_context(system_u:object_r:vbox_vbox_exec_t,s0)
/usr/lib/virtualbox/VBoxSVC --
gen_context(system_u:object_r:vbox_svc_exec_t,s0)
HOME_DIR/.VirtualBox(/.*)?
gen_context(system_u:object_r:vbox_run_t,s0)
These are specified file contexts. After loading these, you may need to
apply them by running restorecon on each of the paths
---
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk1ig0IACgkQMlxVo39jgT+GsQCgwY/aKi/np52twzBGvWdi84Hn
hY4An213+8fsY4noCBBAHFkl262OIJ2o
=VNCJ
-----END PGP SIGNATURE-----