On Tue, 28 Oct 2008 08:13:06 +1000 Murray McAllister <mmcallis@xxxxxxxxxx> wrote: > Timothy Renner wrote: > > First off, thanks for the answers about finding out the SELinux > > transactions... autrace was the way to go.... Now I have a more > > fundamental problem... In the file context labels, there are two > > rules that conflict: > > > > /sbin/.* all files system_u:object_r:bin_t:s0 > > > > and > > > > /sbin/mount.mymounter regular file > > system_u:object_r:myfile_exec_t:s0 > > > > The problem though is that the file gets labeled under the blanket > > /sbin/.* context, rather than the more specific one: > > > > > ls -lZ /sbin/mount.mymounter > > lrwxrwxrwx root root system_u:object_r:bin_t > > /sbin/mount.mymounter -> /myproject/sbin/mymounter > I tried this on Fedora Rawhide and it worked. I also have > your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" > after adding the rule? > > I don't know how this works for symbolic links. You might have to add > a rule (and run restorecon) for /myproject/sbin/mymounter > > > > Any thoughts on this? Can someone explain how the file context is > > derived from the rules? Is it as simple as whichever matches > > first? And does anyone know a way around this labeling problem, > > assuming I cannot remove the /sbin/.* rule, but can only add rules > > through a policy module. Regular files, directories, sockets, symlinks etc. can all have different contexts for the same path specification. So specifying the type for regular files won't have any effect on symlinks. For how to specify contexts for different file types using semanage, see the "--ftype" option in the manpage for semanage. Regarding how contexts are matched, I asked about it a long while ago and wrote down a summary of what I was told here: http://www.city-fan.org/tips/SeLinuxQuickRef See "File Contexts Sort Ordering" at the bottom of the page. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
