File contexts again

Paul Howarth paul at city-fan.org
Wed May 31 16:00:12 UTC 2006 

Christopher Ashworth wrote:
> On Wed, 2006-05-31 at 16:07 +0100, Paul Howarth wrote:
>> Having trouble with default file contexts again.
>>
>> I have a policy module with the following .fc file:
>>
>> /home/pgsql                     -d 
>> gen_context(system_u:object_r:var_lib_t,s0)
>> /home/pgsql/data                -d 
>> gen_context(system_u:object_r:postgresql_db_t,s0)
>> /home/pgsql/data/.*             -d 
>> gen_context(system_u:object_r:postgresql_db_t,s0)
>> /home/pgsql/data/.*             -- 
>> gen_context(system_u:object_r:postgresql_db_t,s0)
>> /home/pgsql/pgstartup\.log      -- 
>> gen_context(system_u:object_r:postgresql_log_t,s0)
> 
>> The entries that are not regexes work OK, but as soon as I use a regex, 
>> the type I'm specifying gets overridden by user_home_t when I do a 
>> restorecon.
>>
>> For instance, if I have a file /home/pgsql/data/test.db, restorecon 
>> labels it user_home_t rather than postgresql_db_t.
>>
>> /home/pgsql is not the home directory of any user.
>>
>> Why is this happening?
> 
> When the file contexts are sorted, we need a way to split out some in a
> per-user way.  If a path has the prefix keyword HOME_DIR, HOME_ROOT, or
> ROLE, the context specification is split out into the homedir.template
> file.
> 
> Example:
> 
> HOME_DIR/.+    user_u:object_r:user_home_t:s0
> 
> (I briefly mentioned this split in a prior post, but I should have been
> more clear about it; sorry about that.)
> 
> This template file is used to produce file contexts for each selinux
> user.  These per-user file contexts are written to the file
> "file_contexts.homedirs", which lives in the same directory as
> "file_contexts".

Yes, I found that.

> When matching file contexts, the file_contexts.homedirs contexts are
> appended to the main file_contexts contexts, so they have priority.

Is there some reason why "semanage fcontext -l" does not include these?

> The contexts for user user_u include:
> 
> /home/[^/]*/.+     user_u:object_r:user_home_t:s0
> /home/[^/]*     -d   user_u:object_r:user_home_dir_t:s0
> 
> which is why your file is getting that context, even though you do not
> have an actual user with the home directory /home/pgsql.

I thought they'd only have priority by means of their position at the 
end of the list if all other sorting criteria were equal? So the fact 
that /home/pgsql/data(/.*)? for instance has a longer stem than 
/home/[^/]*/.+ should have given it precedence?

> You can prefix your file context path expression with a template keyword
> to place it in the file_context.homedirs file.

Wouldn't that result in all /home/*/data directories and everything 
underneath them being labelled postgresql_db_t, not just /home/pgsql/data?

Paul.

More information about the fedora-selinux-list mailing list