File contexts again
Christopher Ashworth
cashworth at tresys.com
Wed May 31 16:44:31 UTC 2006
On Wed, 2006-05-31 at 17:00 +0100, Paul Howarth wrote:
> > When matching file contexts, the file_contexts.homedirs contexts are
> > appended to the main file_contexts contexts, so they have priority.
>
> Is there some reason why "semanage fcontext -l" does not include these?
Hmmm...I don't know off the top of my head--it certainly doesn't sound
like desirable behavior. Anyone who's been around longer than me know
if this is desired or a bug? I'll look to see where the homedirs are
omitted during the listing by libsemange.
> > The contexts for user user_u include:
> >
> > /home/[^/]*/.+ user_u:object_r:user_home_t:s0
> > /home/[^/]* -d user_u:object_r:user_home_dir_t:s0
> >
> > which is why your file is getting that context, even though you do not
> > have an actual user with the home directory /home/pgsql.
>
> I thought they'd only have priority by means of their position at the
> end of the list if all other sorting criteria were equal? So the fact
> that /home/pgsql/data(/.*)? for instance has a longer stem than
> /home/[^/]*/.+ should have given it precedence?
Once the sort is done during the original generation of the files, and
the files have been spit out, no additional sorting occurs. So sticking
the homedirs contexts at the end of the list when looking for a match
means that every homedir context is checked for a match first, before
any other context is checked.
> > You can prefix your file context path expression with a template keyword
> > to place it in the file_context.homedirs file.
>
> Wouldn't that result in all /home/*/data directories and everything
> underneath them being labelled postgresql_db_t, not just /home/pgsql/data?
Yes, you are right. Unfortunately, I don't think there is any way
around this at the moment. Anything with the "/home/" prefix will get
caught by the per-user contexts, and so trying to label files below
"/home/" in a non-per-user way (for lack of a better term), won't work.
As I understand it, you'll have to move it to a different location.
Chris
More information about the fedora-selinux-list
mailing list