[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: File contexts again

Christopher Ashworth wrote:
On Wed, 2006-05-31 at 17:00 +0100, Paul Howarth wrote:
When matching file contexts, the file_contexts.homedirs contexts are
appended to the main file_contexts contexts, so they have priority.
Is there some reason why "semanage fcontext -l" does not include these?

Hmmm...I don't know off the top of my head--it certainly doesn't sound
like desirable behavior.  Anyone who's been around longer than me know
if this is desired or a bug?  I'll look to see where the homedirs are
omitted during the listing by libsemange.


The contexts for user user_u include:

/home/[^/]*/.+     user_u:object_r:user_home_t:s0
/home/[^/]*     -d   user_u:object_r:user_home_dir_t:s0

which is why your file is getting that context, even though you do not
have an actual user with the home directory /home/pgsql.
I thought they'd only have priority by means of their position at the end of the list if all other sorting criteria were equal? So the fact that /home/pgsql/data(/.*)? for instance has a longer stem than /home/[^/]*/.+ should have given it precedence?

Once the sort is done during the original generation of the files, and
the files have been spit out, no additional sorting occurs.  So sticking
the homedirs contexts at the end of the list when looking for a match
means that every homedir context is checked for a match first, before
any other context is checked.

Hmm, that doesn't explain why file contexts that aren't regexes do actually work. So if I have:

/home/pgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)

this actually works as expected, even though the /home/[^/]*/.+ homedir context also matches.

You can prefix your file context path expression with a template keyword
to place it in the file_context.homedirs file.
Wouldn't that result in all /home/*/data directories and everything underneath them being labelled postgresql_db_t, not just /home/pgsql/data?

Yes, you are right.  Unfortunately, I don't think there is any way
around this at the moment.  Anything with the "/home/" prefix will get
caught by the per-user contexts, and so trying to label files below
"/home/" in a non-per-user way (for lack of a better term), won't work.
As I understand it, you'll have to move it to a different location.

Actually this isn't my problem - I'm trying to help someone else. If it was me I'd just bind mount /home/pgsql on /var/lib/pgsql and there wouldn't be an issue...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]