-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Hello, > I am sure this is a FAQ or a feature, but I want to know how to work > around: > > I have cxoffice installed in my F8 home dir and I want some lib labeled > as textrel_shlib_t, but I cannot override the default user_home_t home > label via a policy module. > > NOTE1 it works if the directory is not under /home > NOTE2 there is nothing in the logs if it fails > NOTE3 It has been so since the introduction of modular policy in selinux > > What is what I have tried so far in F8. > [root@jack sel]#cat local.fc > #cxoffice > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- > system_u:object_r:textrel_shlib_t:s0 > > /home/alex/cxoffice/lib/wine/kernel32.dll.so -- > system_u:object_r:textrel_shlib_t:s0 > > [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc > [root@jack sel]#semodule -i local.pp > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > (If i use the system-config-selinux UI, I can see the new entry in the > tab context among all the regexp) > > Using semanage, it works: > [root@jack sel]#semodule -r local > [root@jack sel]#semanage fcontext -a -t > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > and the custom rule appears in system-config-selinux UI at the end of > the policy. > > So how do I have my module install my contexts the same way as semanage? > Should I bugzilla it? > > BTW, how do system-config-selinux browse the file context policy? Is it > possible to see also the rules and type definition? > > TIA > jk > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a bug in libsemanage or in the file context labeling algorithm. I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry. So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local. If you tried HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- system_u:object_r:textrel_shlib_t:s0 It should update the file_context.homedirs file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQuOtrlYvE4MpobMRAuuCAJ4sXPEh9DMDNxUV+avHT09uvAa62QCfbneq YBf3ZtQ4UGTOrOys4K4FGps= =VT+4 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
