Log in

No account? Create an account

Previous Entry Share Next Entry
10 things you probably did not know about SELinux.. #6
#6 How did those SELinux labels get there?

SELinux labels are placed on disk during the installation by a combination of Anaconda and rpm.  Anaconda actually includes the latest /etc/selinux/targeted/files/file_context and /etc/selinux/targeted/policy/policy.26 in its initrd.  When anaconda starts rpm, rpm reads this file and proceeds to place the labels on disk.  RPM has SELinux awareness built into it and asks the kernel to place the default label on the disk for every object that it creates from its payload.  If an rpm post install script runs during the install, the labels are created using the standard process labelling described below.   Any file system objects created by Anaconda  before loading the policy into the kernel will be relabelled by Anaconda using restorecon.

Any file system objects created by the post install scripts, or during boot, or by any process from then moving forward will create the file via one of the following three rules.
  • The object will get the label of the parent directory.
    • Files/Directories created in /etc, which is labelled etc_t, will get labelled etc_t by default.
  • File transition rules can be written into policy.  File transition rules take into account the label of the process creating the file as well as the parent directory.  For example I can write a rule that says if NetworkManager_t creates a file in a directory labelled etc_t then this file will be labelled net_conf_t
    •  filetrans_pattern(NetworkManager_t, etc_t, net_conf_t, file)
    • When NetworkManager creates the /etc/resolv.conf file it gets labelled net_conf_f rather then etc_t.
    • Since you can only have one combination of ProcessLabel/DirectoryLabel/ObjectClass, you can not currently write a rule for a process to create two different labels within the same directory.
  • The last way is to build SELinux awareness within an application. 
    • Applications can be programmed to ask the kernel to create a file system object with a particular label.
      • rpm, udev, passwd are examples of applications that request the kernel to label the object at creation time.
    • Applications can attempt to change a label from one label to another.
      • restorecon, udev, restorecond, chcon are examples of applications that modify labels.
In Fedora 16 we are introducing a new concept which we are calling File Name Transitions.   These will allow policy writers to take into account the actual file name (Not path) at file creation time,  giving us the ability to clear up some common bugs users have seen with SELinux.

Read about it here and if you are running Fedora 16/Rawhide try it out...


  • 1
Nice. Is it limited to whole filenames, or can I set a label based on glob patterns or regexps? At first glance, it would appear to be a win to be able to say "foo*", rather than having to explicitly enumerate foo0, foo1, foo2 etc.

In the Fedora Feature Description I have

Note 2: The kernel team wants me to point out that this is an exact strcmp match. No regex, no glob, and no hope of that ever changing.

write specific file in /var/run


thanks for the tip.
I was wondering if it is the alone way to tag files properly in /var/run.

I explain my case:
I have a program running as prog_t.
I have defined a tag prog_varrun_t.
I wrote fc rule: /var/run/prog.pid gen_context(system_u:object_r:prog_varrun_t,s0)

If I do a restorecon -R /var/run, my "prog.pid" get the correct label.

But when my program run. it deletes the pid, recreate it, using directory default tag, i.e. "var_run_t" and not "prog_varrun_t"

So by using your tip I create a:
filetrans_pattern(prog_t, var_run_t, prog_varrun_t, file, "prog.pid")
It works!

But is it the proper way?


  • 1