[Seedit-devel] create domain

himainu-ynakam at miomio.jp himainu-ynakam at miomio.jp
Fri May 16 05:25:41 BST 2008 

in message "Re: [Seedit-devel] create domain",
run zhang <zhang4run at yahoo.com> wrote:
> Thanks for the hints. 
> I really like the simplified features of seedit. 
> However, one pity thing is that, seedit totally remove labels of files/fs. 
> It seems it automatically generated file labels by pathnames. 
> Do you think is it possible to hack it to specify the labels of the files? 
> I need very limited functions such as, in embedded devices, I just want a few labels for different dirs. 
> Right now with seedit, i only can define domains and specify their accessable files/dirs, but cannot specify file/fs lables. 
> If I directly edit on the policy_root/context/files/file_contexts 
> (ie., to directly change file labels and  then setfiles to re-lable),  it is not syncronized with the policy rules. 
> Please give hints. 
SEEdit generates labeles automatically based on path-names.
In fact, 
SEEdit in svn tree has feature of label based configuration.

You can use it like following.
in common-relaxed.sp, declare type.

type foo_label_t;

and you can use this label in allow statements, like this.

type foo_t;
allow foo_label_t r,w;
But, you have to assign label to files by chcon command, 
or manually write file_contexts and restorecon.


And what kind of devices are you using?
I am interested in what kind of devices selinux are used.


> 
> Thanks!
> 
> 
> ----- Original Message ----
> From: Yuichi Nakamura <himainu-ynakam at miomio.jp>
> To: run zhang <zhang4run at yahoo.com>
> Cc: himainu-ynakam at miomio.jp; seedit-devel at opendawn.com
> Sent: Thursday, May 15, 2008 7:14:45 AM
> Subject: Re: [Seedit-devel] create domain
> 
> Hi.
> 
> On Wed, 14 May 2008 17:16:05 -0700 (PDT)
> run zhang wrote:
> > Hi Yuichi, 
> > I tried, all domains started when booting are still in kernel_t, while comman-line started domains are in right domain names. (as before, with program-based domain transitions)
> > I don't know if this is due to the nfs rootfs right now, ie., all files are lablled with nfs_t at booting, and I put a setfile /etc/selinux/seedit/contexts/files/file_contexts script to label in rc.d, after init. 
> > I will flash to the embededd device to try. Thanks. 
> 
> NFS rootfile system does not work well with SELinux.
> Because all files are labeled as nfs_t as you say.
> But it is inconvenient..
> 
> Some development is going to assign label to nfs, but I do not know progress.
> I will discuss NFS root filesystem with SELinux at Ottawa this July.
> 
> If anyone come up with good idea about NFS, please tell me.
> 
> --
> Yuichi Nakamura

More information about the Seedit-devel mailing list