Re: File contexts and how are files labeled?

[Stephen Smalley <sds tycho nsa gov>]

On Mon, 2008-10-27 at 14:34 -0700, Timothy Renner wrote:
> First off, thanks for the answers about finding out the SELinux 
> transactions...  autrace was the way to go....    Now I have a more 
> fundamental problem...  In the file context labels, there are two rules 
> that conflict:
> 
> /sbin/.*       all files   system_u:object_r:bin_t:s0
> 
>        and
> 
> /sbin/mount.mymounter   regular file   system_u:object_r:myfile_exec_t:s0
> 
> The problem though is that the file gets labeled under the blanket 
> /sbin/.* context, rather than the more specific one:
> 
>  > ls -lZ /sbin/mount.mymounter
> lrwxrwxrwx  root root system_u:object_r:bin_t          
> /sbin/mount.mymounter -> /myproject/sbin/mymounter
> 
> Any thoughts on this?  Can someone explain how the file context is 
> derived from the rules?  Is it as simple as whichever matches first?  
> And does anyone know a way around this labeling problem, assuming I 
> cannot remove the /sbin/.* rule, but can only add rules through a policy 
> module.

You don't want that context on the symlink but on the file it
references.  So specify the path of the referenced file, not the
symlink, in your module's .fc file.

-- 
Stephen Smalley
National Security Agency