Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]selinux create custom type, seems not work well
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
coll2021
n00b
n00b


Joined: 29 May 2021
Posts: 7

PostPosted: Sat May 29, 2021 11:52 am    Post subject: [SOLVED]selinux create custom type, seems not work well Reply with quote

system info:
gentoo x86_64 recent version;
selinux strict permissive mode;

------------------------------------------------------------------------------------------------------------------

what i want?
1. i want create a directory( name private) inside root or home;
1. give this private directory a custom type, in order to no process can access it(this is what i really want);
1. thus, i can hidden some private data in this new created dir;

------------------------------------------------------------------------------------------------------------------

what i do?
Code:
```private_files.te
policy_module(private_files, 1.0)

require {
   type unconfined_t;
   type setroubleshootd_t;
}

type private_files_t;
fs_associate(private_files_t);

allow unconfined_t private_files_t:{ dir file } relabelto;
allow setroubleshootd_t private_files_t:{ dir file } getattr;
```

this is work fine in fedora-34,but not in gentoo;

in gentoo, when execute: `chcon -t private_files_t /private`,file context changed,but still can acess /privaet dir(like ls /private);
Quote:
code above may be slight difference in gentoo, but i tried many way, compile, semodule install correctly(seinfo -t | grep private_files_t, can saw it) ,but still can acess /private dir!! what i miss???


anyone can help, thanks :)


Last edited by coll2021 on Wed Jun 02, 2021 1:48 am; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3926

PostPosted: Sat May 29, 2021 12:02 pm    Post subject: Reply with quote

Welcome to Gentoo
Plz try
Code:

semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ(d) /private

If the context is correct and still you dont get what you need then you mis defined your policy.
_________________
:)
Back to top
View user's profile Send private message
coll2021
n00b
n00b


Joined: 29 May 2021
Posts: 7

PostPosted: Sat May 29, 2021 12:07 pm    Post subject: Reply with quote

alamahant wrote:
Welcome to Gentoo
Plz try
Code:

semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ /private


yes, i tried.

Code:
1. `seinfo -t | grep private_files_t`, cant saw it
1.` semanage fcontext -a -t private_files_t "/private(/.*)?"`,Value error, type private_files_t is invalid, must be a file or device type
1. `ls -lZ -d /private` ,... root:object_r:private_files_t  /private;


Last edited by coll2021 on Sat May 29, 2021 12:09 pm; edited 2 times in total
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3926

PostPosted: Sat May 29, 2021 12:08 pm    Post subject: Reply with quote

Then wrong policy......
:)
_________________
:)
Back to top
View user's profile Send private message
coll2021
n00b
n00b


Joined: 29 May 2021
Posts: 7

PostPosted: Sat May 29, 2021 12:11 pm    Post subject: Reply with quote

alamahant wrote:
Then wrong policy......
:)



but,i compiled and installed successfully,and can saw private_files_type,what i miss ?
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3926

PostPosted: Sat May 29, 2021 12:21 pm    Post subject: Reply with quote

Maybe
Code:

.
.
.
type private_files_t;
files_type(private_files_t);
.
.


_________________
:)
Back to top
View user's profile Send private message
coll2021
n00b
n00b


Joined: 29 May 2021
Posts: 7

PostPosted: Sat May 29, 2021 12:43 pm    Post subject: Reply with quote

alamahant wrote:
Maybe
Code:

.
.
.
type private_files_t;
files_type(private_files_t);
.
.



tried, but not work. thanks :)

--------------------------------------------

may be type need associate with role in config file (whatever)?
Back to top
View user's profile Send private message
salam
Apprentice
Apprentice


Joined: 29 Sep 2005
Posts: 226

PostPosted: Tue Jun 01, 2021 8:40 pm    Post subject: Reply with quote

Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;

Isn't that thing the cause?
Back to top
View user's profile Send private message
coll2021
n00b
n00b


Joined: 29 May 2021
Posts: 7

PostPosted: Wed Jun 02, 2021 1:34 am    Post subject: Reply with quote

salam wrote:
Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;

Isn't that thing the cause?


yep, almost
1. should in enforcing mode;
2. not use `files_type` macro in the te file;
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum