[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File contexts again



On Wed, 2006-05-31 at 16:07 +0100, Paul Howarth wrote:
> Having trouble with default file contexts again.
> 
> I have a policy module with the following .fc file:
> 
> /home/pgsql                     -d 
> gen_context(system_u:object_r:var_lib_t,s0)
> /home/pgsql/data                -d 
> gen_context(system_u:object_r:postgresql_db_t,s0)
> /home/pgsql/data/.*             -d 
> gen_context(system_u:object_r:postgresql_db_t,s0)
> /home/pgsql/data/.*             -- 
> gen_context(system_u:object_r:postgresql_db_t,s0)
> /home/pgsql/pgstartup\.log      -- 
> gen_context(system_u:object_r:postgresql_log_t,s0)

> The entries that are not regexes work OK, but as soon as I use a regex, 
> the type I'm specifying gets overridden by user_home_t when I do a 
> restorecon.
> 
> For instance, if I have a file /home/pgsql/data/test.db, restorecon 
> labels it user_home_t rather than postgresql_db_t.
> 
> /home/pgsql is not the home directory of any user.
> 
> Why is this happening?

When the file contexts are sorted, we need a way to split out some in a
per-user way.  If a path has the prefix keyword HOME_DIR, HOME_ROOT, or
ROLE, the context specification is split out into the homedir.template
file.

Example:

HOME_DIR/.+    user_u:object_r:user_home_t:s0

(I briefly mentioned this split in a prior post, but I should have been
more clear about it; sorry about that.)

This template file is used to produce file contexts for each selinux
user.  These per-user file contexts are written to the file
"file_contexts.homedirs", which lives in the same directory as
"file_contexts".

When matching file contexts, the file_contexts.homedirs contexts are
appended to the main file_contexts contexts, so they have priority.

The contexts for user user_u include:

/home/[^/]*/.+     user_u:object_r:user_home_t:s0
/home/[^/]*     -d   user_u:object_r:user_home_dir_t:s0

which is why your file is getting that context, even though you do not
have an actual user with the home directory /home/pgsql.

You can prefix your file context path expression with a template keyword
to place it in the file_context.homedirs file.

Chris


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]