Timothy Renner wrote:
First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict:I tried this on Fedora Rawhide and it worked. I also have your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" after adding the rule?/sbin/.* all files system_u:object_r:bin_t:s0 and /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one:> ls -lZ /sbin/mount.mymounterlrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter
I don't know how this works for symbolic links. You might have to add a rule (and run restorecon) for /myproject/sbin/mymounter
Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module.
Thanks again, -Tim -- fedora-selinux-list mailing list fedora-selinux-list redhat com https://www.redhat.com/mailman/listinfo/fedora-selinux-list