Stephanos Manos wrote: > Ken YANG wrote: >> Stephanos Manos wrote: >>> Ken YANG wrote: >>>> Stephanos Manos wrote: >>>>> Hi >>>>> >>>>> I'm in the proses of building a hole server and i was wondering what is >>>>> the correct way of labeling the lost+found directory of various file >>>>> systems that will be mounted under the /srv. I have labeled /srv as >>>>> public_content_rw_t with >>>>> semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' >>>>> but that results to lost+found being labeled as public_content_rw_t so i >>>>> also run >>>>> semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' >>>>> >>>>> my question is: >>>>> in /etc/selinux/targeted/contexts/files/file_contexts i see two lines >>>>> for /lost+found >>>>> a. /lost\+found/.* <<none>> >>>>> b. /lost\+found -d system_u:object_r:lost_found_t:s0 >>>>> >>>>> the second is created with the above mentioned command >>>>> who do i create the first or i don't needed? >>>> the first one is about the content in lost+found, and the second is >>>> about the directory lost+found, i think you also find the "-d" item. >>>> >>>> the label rules you create through "semanage fcontext" are in: >>>> >>>> /etc/selinux/targeted/contexts/files/file_contexts.local >>>> >>> Yes i know that. when i issue the above mentioned semange fcontext >>> command i see the following line created in >>> /etc/selinux/targeted/contexts/files/file_contexts.local >>> >>> /srv/(.*/)lost\+found -d system_u:object_r:lost_found_t:s0 >>> >>> but how do i create a line that is >>> /srv/(.*/)lost\+found/.* <<none>> >>> >>> in the file_contexts.local >>> >>> or i don't need it? >> the need of this line depends on your purpose. This line means >> the context of files you created in the dir are labeled according to >> the creating process and containing directory, if no policy rules >> about it. >> >> i think you should keep this line in your file context file > > The question is: > witch is the correct command that creates the line since direct editing > of the file is not recommended ? there is no need to write such line in file_context.local, if there is not rule for the file, their context will inherit from creating process and containing dir, unless the file system is pseudo-filesystem > > Stephanos > >>> Stephanos >>> >>>>> Regards >>>>> >>>>> Stephanos Manos >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@xxxxxxxxxx >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
