Hello, list. I'm having quite some difficulties in understanding some SELinux behaviour, and Google is not helping... On an RHEL6-based system using the targeted policy, when we create our .k5login files, they get the context of their parent directory, and *not* the one specified in the policy for .k5login. Calling restorecon gives them the correct context, but I would expect it to be correct since the file is created. The file_contexts file looks like this: 19:/root(/.*)? system_u:object_r:admin_home_t:s0 2353:/root/\.k5login -- system_u:object_r:krb5_home_t:s0 And the behaviour we get is: ************************************************************ # Initial status: ~ # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: permissive Policy version: 24 Policy from config file: targeted ~ # LANG=C ls -a .k5login ls: cannot access .k5login: No such file or directory # Create the file ~ # echo foo@xxxxxxx > .k5login ~ # ls -Z .k5login -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 .k5login # But restorecon gives it the correct context!! ~ # restorecon .k5login ~ # ls -Z .k5login -rw-r--r--. root root system_u:object_r:krb5_home_t:s0 .k5login ************************************************************ I would expect that newly-created files wouldn't need a restorecon, unless the policy changed or they were created when SELinux was disabled. Am I wrong? Or is it a bug in the policy? Thanks a lot. PS: I suppose this problem applies to other files, we've been hit with .k5login first (users couldn't SSH in). PPS: I'm using: selinux-policy-targeted-3.7.19-54.el6.noarch -- Luis Fernando MuÃoz MejÃas Luis.Fernando.Munoz.Mejias@xxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
