| View previous topic :: View next topic |
| Author |
Message |
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
 Posted: Sat May 29, 2021 11:52 am Post subject: [SOLVED]selinux create custom type, seems not work well |
 |
|
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
------------------------------------------------------------------------------------------------------------------
what i want?
1. i want create a directory( name private) inside root or home;
1. give this private directory a custom type, in order to no process can access it(this is what i really want);
1. thus, i can hidden some private data in this new created dir;
------------------------------------------------------------------------------------------------------------------
what i do?
| Code: | ```private_files.te
policy_module(private_files, 1.0)
require {
type unconfined_t;
type setroubleshootd_t;
}
type private_files_t;
fs_associate(private_files_t);
allow unconfined_t private_files_t:{ dir file } relabelto;
allow setroubleshootd_t private_files_t:{ dir file } getattr;
``` |
this is work fine in fedora-34,but not in gentoo;
in gentoo, when execute: `chcon -t private_files_t /private`,file context changed,but still can acess /privaet dir(like ls /private);
| Quote: | | code above may be slight difference in gentoo, but i tried many way, compile, semodule install correctly(seinfo -t | grep private_files_t, can saw it) ,but still can acess /private dir!! what i miss??? |
anyone can help, thanks 
Last edited by coll2021 on Wed Jun 02, 2021 1:48 am; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3918
|
| Posted: Sat May 29, 2021 12:02 pm Post subject: |
|
|
Welcome to Gentoo
Plz try
| Code: |
semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ(d) /private
|
If the context is correct and still you dont get what you need then you mis defined your policy.
_________________
|
|
| Back to top |
|
|
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
| Posted: Sat May 29, 2021 12:07 pm Post subject: |
|
|
| alamahant wrote: | Welcome to Gentoo
Plz try
| Code: |
semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ /private
|
|
yes, i tried.
| Code: | 1. `seinfo -t | grep private_files_t`, cant saw it
1.` semanage fcontext -a -t private_files_t "/private(/.*)?"`,Value error, type private_files_t is invalid, must be a file or device type
1. `ls -lZ -d /private` ,... root:object_r:private_files_t /private; |
Last edited by coll2021 on Sat May 29, 2021 12:09 pm; edited 2 times in total |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3918
|
| Posted: Sat May 29, 2021 12:08 pm Post subject: |
|
|
Then wrong policy......
_________________
|
|
| Back to top |
|
|
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
| Posted: Sat May 29, 2021 12:11 pm Post subject: |
|
|
| alamahant wrote: | Then wrong policy......
|
but,i compiled and installed successfully,and can saw private_files_type,what i miss ? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3918
|
| Posted: Sat May 29, 2021 12:21 pm Post subject: |
|
|
Maybe
| Code: |
.
.
.
type private_files_t;
files_type(private_files_t);
.
.
|
_________________
|
|
| Back to top |
|
|
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
| Posted: Sat May 29, 2021 12:43 pm Post subject: |
|
|
| alamahant wrote: | Maybe
| Code: |
.
.
.
type private_files_t;
files_type(private_files_t);
.
.
|
|
tried, but not work. thanks
--------------------------------------------
may be type need associate with role in config file (whatever)? |
|
| Back to top |
|
|
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
| Posted: Tue Jun 01, 2021 8:40 pm Post subject: |
|
|
Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
Isn't that thing the cause? |
|
| Back to top |
|
|
coll2021
n00b
Joined: 29 May 2021
Posts: 7
|
| Posted: Wed Jun 02, 2021 1:34 am Post subject: |
|
|
| salam wrote: | Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
Isn't that thing the cause? |
yep, almost
1. should in enforcing mode;
2. not use `files_type` macro in the te file; |
|
| Back to top |
|
|
|
Networking & Security
