On Wed, 2006-05-31 at 17:00 +0100, Paul Howarth wrote: > > When matching file contexts, the file_contexts.homedirs contexts are > > appended to the main file_contexts contexts, so they have priority. > > Is there some reason why "semanage fcontext -l" does not include these? Hmmm...I don't know off the top of my head--it certainly doesn't sound like desirable behavior. Anyone who's been around longer than me know if this is desired or a bug? I'll look to see where the homedirs are omitted during the listing by libsemange. > > The contexts for user user_u include: > > > > /home/[^/]*/.+ user_u:object_r:user_home_t:s0 > > /home/[^/]* -d user_u:object_r:user_home_dir_t:s0 > > > > which is why your file is getting that context, even though you do not > > have an actual user with the home directory /home/pgsql. > > I thought they'd only have priority by means of their position at the > end of the list if all other sorting criteria were equal? So the fact > that /home/pgsql/data(/.*)? for instance has a longer stem than > /home/[^/]*/.+ should have given it precedence? Once the sort is done during the original generation of the files, and the files have been spit out, no additional sorting occurs. So sticking the homedirs contexts at the end of the list when looking for a match means that every homedir context is checked for a match first, before any other context is checked. > > You can prefix your file context path expression with a template keyword > > to place it in the file_context.homedirs file. > > Wouldn't that result in all /home/*/data directories and everything > underneath them being labelled postgresql_db_t, not just /home/pgsql/data? Yes, you are right. Unfortunately, I don't think there is any way around this at the moment. Anything with the "/home/" prefix will get caught by the per-user contexts, and so trying to label files below "/home/" in a non-per-user way (for lack of a better term), won't work. As I understand it, you'll have to move it to a different location. Chris -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
