Re: File contexts again

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christopher Ashworth wrote:

On Wed, 2006-05-31 at 16:07 +0100, Paul Howarth wrote:

Having trouble with default file contexts again.

I have a policy module with the following .fc file:
/home/pgsql -d gen_context(system_u:object_r:var_lib_t,s0) /home/pgsql/data -d gen_context(system_u:object_r:postgresql_db_t,s0) /home/pgsql/data/.* -d gen_context(system_u:object_r:postgresql_db_t,s0) /home/pgsql/data/.* -- gen_context(system_u:object_r:postgresql_db_t,s0) /home/pgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
The entries that are not regexes work OK, but as soon as I use a regex, the type I'm specifying gets overridden by user_home_t when I do a restorecon.
For instance, if I have a file /home/pgsql/data/test.db, restorecon labels it user_home_t rather than postgresql_db_t. 

/home/pgsql is not the home directory of any user.

Why is this happening?


When the file contexts are sorted, we need a way to split out some in a
per-user way.  If a path has the prefix keyword HOME_DIR, HOME_ROOT, or
ROLE, the context specification is split out into the homedir.template
file.

Example:

HOME_DIR/.+    user_u:object_r:user_home_t:s0

(I briefly mentioned this split in a prior post, but I should have been
more clear about it; sorry about that.)

This template file is used to produce file contexts for each selinux
user.  These per-user file contexts are written to the file
"file_contexts.homedirs", which lives in the same directory as
"file_contexts".


Yes, I found that.


When matching file contexts, the file_contexts.homedirs contexts are
appended to the main file_contexts contexts, so they have priority.


Is there some reason why "semanage fcontext -l" does not include these?


The contexts for user user_u include:

/home/[^/]*/.+     user_u:object_r:user_home_t:s0
/home/[^/]*     -d   user_u:object_r:user_home_dir_t:s0

which is why your file is getting that context, even though you do not
have an actual user with the home directory /home/pgsql.
I thought they'd only have priority by means of their position at the end of the list if all other sorting criteria were equal? So the fact that /home/pgsql/data(/.*)? for instance has a longer stem than /home/[^/]*/.+ should have given it precedence? 


You can prefix your file context path expression with a template keyword
to place it in the file_context.homedirs file.
Wouldn't that result in all /home/*/data directories and everything underneath them being labelled postgresql_db_t, not just /home/pgsql/data? 

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux