View previous topic :: View next topic |
Author |
Message |
coll2021 n00b
Joined: 29 May 2021 Posts: 7
|
Posted: Sat May 29, 2021 11:52 am Post subject: [SOLVED]selinux create custom type, seems not work well |
|
|
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
------------------------------------------------------------------------------------------------------------------
what i want?
1. i want create a directory( name private) inside root or home;
1. give this private directory a custom type, in order to no process can access it(this is what i really want);
1. thus, i can hidden some private data in this new created dir;
------------------------------------------------------------------------------------------------------------------
what i do?
Code: | ```private_files.te
policy_module(private_files, 1.0)
require {
type unconfined_t;
type setroubleshootd_t;
}
type private_files_t;
fs_associate(private_files_t);
allow unconfined_t private_files_t:{ dir file } relabelto;
allow setroubleshootd_t private_files_t:{ dir file } getattr;
``` |
this is work fine in fedora-34,but not in gentoo;
in gentoo, when execute: `chcon -t private_files_t /private`,file context changed,but still can acess /privaet dir(like ls /private);
Quote: | code above may be slight difference in gentoo, but i tried many way, compile, semodule install correctly(seinfo -t | grep private_files_t, can saw it) ,but still can acess /private dir!! what i miss??? |
anyone can help, thanks
Last edited by coll2021 on Wed Jun 02, 2021 1:48 am; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3926
|
Posted: Sat May 29, 2021 12:02 pm Post subject: |
|
|
Welcome to Gentoo
Plz try
Code: |
semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ(d) /private
|
If the context is correct and still you dont get what you need then you mis defined your policy. _________________
|
|
Back to top |
|
|
coll2021 n00b
Joined: 29 May 2021 Posts: 7
|
Posted: Sat May 29, 2021 12:07 pm Post subject: |
|
|
alamahant wrote: | Welcome to Gentoo
Plz try
Code: |
semanage fcontext -a -t private_files_t /private(/.*)?
restorecon -R /private
ls -lZ /private
|
|
yes, i tried.
Code: | 1. `seinfo -t | grep private_files_t`, cant saw it
1.` semanage fcontext -a -t private_files_t "/private(/.*)?"`,Value error, type private_files_t is invalid, must be a file or device type
1. `ls -lZ -d /private` ,... root:object_r:private_files_t /private; |
Last edited by coll2021 on Sat May 29, 2021 12:09 pm; edited 2 times in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3926
|
Posted: Sat May 29, 2021 12:08 pm Post subject: |
|
|
Then wrong policy......
_________________
|
|
Back to top |
|
|
coll2021 n00b
Joined: 29 May 2021 Posts: 7
|
Posted: Sat May 29, 2021 12:11 pm Post subject: |
|
|
alamahant wrote: | Then wrong policy......
|
but,i compiled and installed successfully,and can saw private_files_type,what i miss ? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3926
|
Posted: Sat May 29, 2021 12:21 pm Post subject: |
|
|
Maybe
Code: |
.
.
.
type private_files_t;
files_type(private_files_t);
.
.
|
_________________
|
|
Back to top |
|
|
coll2021 n00b
Joined: 29 May 2021 Posts: 7
|
Posted: Sat May 29, 2021 12:43 pm Post subject: |
|
|
alamahant wrote: | Maybe
Code: |
.
.
.
type private_files_t;
files_type(private_files_t);
.
.
|
|
tried, but not work. thanks
--------------------------------------------
may be type need associate with role in config file (whatever)? |
|
Back to top |
|
|
salam Apprentice
Joined: 29 Sep 2005 Posts: 226
|
Posted: Tue Jun 01, 2021 8:40 pm Post subject: |
|
|
Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
Isn't that thing the cause? |
|
Back to top |
|
|
coll2021 n00b
Joined: 29 May 2021 Posts: 7
|
Posted: Wed Jun 02, 2021 1:34 am Post subject: |
|
|
salam wrote: | Given the info:
1) .... in gentoo, when execute: `chcon -t private_files_t /private`,file context changed...
2) but still can acess /privaet dir(like ls /private)
3)
system info:
gentoo x86_64 recent version;
selinux strict permissive mode;
Isn't that thing the cause? |
yep, almost
1. should in enforcing mode;
2. not use `files_type` macro in the te file; |
|
Back to top |
|
|
|