On Mon, 2008-10-27 at 14:34 -0700, Timothy Renner wrote: > First off, thanks for the answers about finding out the SELinux > transactions... autrace was the way to go.... Now I have a more > fundamental problem... In the file context labels, there are two rules > that conflict: > > /sbin/.* all files system_u:object_r:bin_t:s0 > > and > > /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0 > > The problem though is that the file gets labeled under the blanket > /sbin/.* context, rather than the more specific one: > > > ls -lZ /sbin/mount.mymounter > lrwxrwxrwx root root system_u:object_r:bin_t > /sbin/mount.mymounter -> /myproject/sbin/mymounter > > Any thoughts on this? Can someone explain how the file context is > derived from the rules? Is it as simple as whichever matches first? > And does anyone know a way around this labeling problem, assuming I > cannot remove the /sbin/.* rule, but can only add rules through a policy > module. You don't want that context on the symlink but on the file it references. So specify the path of the referenced file, not the symlink, in your module's .fc file. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
