File contexts and how are files labeled?
Stephen Smalley
sds at tycho.nsa.gov
Tue Oct 28 12:10:11 UTC 2008
On Mon, 2008-10-27 at 14:34 -0700, Timothy Renner wrote:
> First off, thanks for the answers about finding out the SELinux
> transactions... autrace was the way to go.... Now I have a more
> fundamental problem... In the file context labels, there are two rules
> that conflict:
>
> /sbin/.* all files system_u:object_r:bin_t:s0
>
> and
>
> /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
>
> The problem though is that the file gets labeled under the blanket
> /sbin/.* context, rather than the more specific one:
>
> > ls -lZ /sbin/mount.mymounter
> lrwxrwxrwx root root system_u:object_r:bin_t
> /sbin/mount.mymounter -> /myproject/sbin/mymounter
>
> Any thoughts on this? Can someone explain how the file context is
> derived from the rules? Is it as simple as whichever matches first?
> And does anyone know a way around this labeling problem, assuming I
> cannot remove the /sbin/.* rule, but can only add rules through a policy
> module.
You don't want that context on the symlink but on the file it
references. So specify the path of the referenced file, not the
symlink, in your module's .fc file.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list