Description of problem: in this example it's possible to label a file via restorecon, which is usable. look, there is no files_type(test_prog_exec_t) call in *.te file! Version-Release number of selected component (if applicable): i don't know. How reproducible && Steps to Reproduce: te file: policy_module(test_prog, 0.0.1) require { type devpts_t; type unconfined_devpts_t; type test_prog_exec_t; type usr_t; type proc_t; type admin_home_t; type test_prog_t; type unconfined_t; } type test_prog_t; type test_prog_exec_t; role unconfined_r types test_prog_t; domain_type(test_prog_t) domain_entry_file(unconfined_t, test_prog_exec_t) domain_auto_trans(unconfined_t, test_prog_exec_t, test_prog_t) # generated by audit2allow # neccessary to allow everything for test.sh #============= test_prog_t ============== allow test_prog_t admin_home_t:dir getattr; allow test_prog_t devpts_t:dir search; allow test_prog_t proc_t:file read; allow test_prog_t test_prog_exec_t:file read; allow test_prog_t unconfined_devpts_t:chr_file ioctl; allow test_prog_t usr_t:dir search; fc file: /root/test_prog/test.sh -- gen_context(unconfined_u:object_r:test_prog_exec_t, s0) here the script: [root@SecLab test_prog]# cat test.sh #!/bin/sh echo "foo" #EOF Actual results: ... compiling && loading module ... [root@SecLab test_prog]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@SecLab test_prog]# ls -Z test.sh -rwx------ root root unconfined_u:object_r:admin_home_t:s0 test.sh [root@SecLab test_prog]# semodule -l | grep test test_prog 0.0.1 [root@SecLab test_prog]# restorecon /root/test_prog/test.sh [root@SecLab test_prog]# semodule -l | grep test test_prog 0.0.1 [root@SecLab test_prog]# ls -Z test.sh -rwx------ root root unconfined_u:object_r:test_prog_exec_t:s0 test.sh [root@SecLab test_prog]# Expected results: something like this (produced on the same machine, but other policy module): audit.log: type=AVC msg=audit(1236879143.296:193): avc: denied { relabelto } for pid=26871 comm="restorecon" name="writable2" dev=sda1 ino=209596 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:my_type_t:s0 tclass=dir type=SYSCALL msg=audit(1236879143.296:193): arch=40000003 syscall=227 success=no exit=-13 a0=bf9c8cc0 a1=14777d a2=b8b20aa0 a3=1f items=0 ppid=20022 pid=26871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=10 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) for comleteness code of te file: policy_module(fake_httpd, 0.1.1) require{ type httpd_t; type httpd_exec_t; type unconfined_t; type admin_home_t; # type sleep_exec_t; } type my_type_t; role unconfined_r types httpd_t; #domain_type(httpd_t) #files_type(my_type_t); domain_entry_file(httpd_t, httpd_exec_t) domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t) allow httpd_t admin_home_t:dir { getattr search }; #allow httpd_t sleep_exec_t:file { read getattr }; fe file: /root/fake_httpd.sh -- gen_context(system_u:object_r:httpd_exec_t, s0) /var/www/writable2 -d gen_context(system_u:object_r:my_type_t, s0) the above module is a testing example. the modul has no further purpose. so don't wonder, when it seems confusing. good night Sebastian
sorry, change this: in this example it's possible to label a file via restorecon, which is usable. to this: in this example it's possible to label a file via restorecon, which is _still_not_ usable. night seba
sorry for wasting time. this is NOT a bug. files_type is implicitly called in corecommands.if interface(`corecmd_executable_file',` gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) ') which in turn will be called through domain_entry_file(...). sorry for this stupid entry. tnx to dgrift for pointing this out. bye seba