Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
2009/4/20 Daniel J Walsh dwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
You have "--" between /usr/bin/segatex and gen_context..., which means that your context specification applies only to regular files (not symlinks) called /usr/bin/segatex. You could use "-l" instead of "--" to specify a symlink, or just leave that field blank to mean anything (file, directory, socket, symlink etc.).
Paul.
OK, actually I copied it from acct.fc which is the front runner of policy in admin. I've been reluctant to consult any SELinux book, you know...
I will fix this and hopefully I can write a good policy with the help from my friends...
THKS!
2009/4/20 Paul Howarth paul@city-fan.org:
Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
You have "--" between /usr/bin/segatex and gen_context..., which means that your context specification applies only to regular files (not symlinks) called /usr/bin/segatex. You could use "-l" instead of "--" to specify a symlink, or just leave that field blank to mean anything (file, directory, socket, symlink etc.).
Paul.
On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories:<none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
The -- tells the system to only label standard files with the segatext label.
If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line.
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
Yeha!
These days, I've been writing my program and discarded contrivances that you invented... That reminds me old book that Yuichi wrote several years ago.
And also thanks to your documentation on web recently.
I will ship my segatex with its own policy in a few days.
THKS!
2009/4/20 Daniel J Walsh dwalsh@redhat.com:
On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories:<none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
The -- tells the system to only label standard files with the segatext label.
If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line.
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
But, what does -- stands for, in regular Linux admin work ? I will forget it easily.
Or am I dumb fool not knowing Linux commands?
2009/4/20 Daniel J Walsh dwalsh@redhat.com:
On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories:<none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
The -- tells the system to only label standard files with the segatext label.
If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line.
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
On 04/20/2009 09:29 AM, Shintaro Fujiwara wrote:
But, what does -- stands for, in regular Linux admin work ? I will forget it easily.
Or am I dumb fool not knowing Linux commands?
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories:<none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
The -- tells the system to only label standard files with the segatext label.
If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line.
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
The first "-", I believe, is just an indicator for the tools to use an option. The second is the is just the "file type" as used in the ls command. The first letter is the output of ls -l
ls -l /etc
... lrwxrwxrwx. 1 root root 22 2008-06-12 21:55 grub.conf -> ../boot/grub/grub.conf ... -rw-r--r--. 1 root root 3101 2009-03-30 10:55 /etc/passwd ... drwxr-xr-x. 2 root root 4096 2009-02-13 08:51 squid
Thank you, sir.
That'll make sense to me.
2009/4/20 Daniel J Walsh dwalsh@redhat.com:
On 04/20/2009 09:29 AM, Shintaro Fujiwara wrote:
But, what does -- stands for, in regular Linux admin work ? I will forget it easily.
Or am I dumb fool not knowing Linux commands?
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote:
Here it is , sir...
Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ##################################
I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know... But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories:<none>
/usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0)
The -- tells the system to only label standard files with the segatext label.
If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line.
2009/4/20 Daniel J Walshdwalsh@redhat.com:
On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ?
Am I stupid or what should I do to this ?
Thanks.
What does you fc file look like?
The first "-", I believe, is just an indicator for the tools to use an option. The second is the is just the "file type" as used in the ls command. The first letter is the output of ls -l
ls -l /etc
... lrwxrwxrwx. 1 root root 22 2008-06-12 21:55 grub.conf -> ../boot/grub/grub.conf ... -rw-r--r--. 1 root root 3101 2009-03-30 10:55 /etc/passwd ... drwxr-xr-x. 2 root root 4096 2009-02-13 08:51 squid
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Paul Howarth -
Shintaro Fujiwara