-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2011 01:10 PM, Robin Lee Powell wrote: > On Tue, Sep 06, 2011 at 10:13:37AM -0400, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 09/04/2011 10:49 PM, Robin Lee Powell wrote: >>> I have a custom module installed that is supposed to set file >>> contexts for some stuff in a user's homedir (the CGI >>> application I mentioned in my last email, that I want the user >>> to be able to administer): >>> >>> /etc/selinux/targeted/modules/active/file_contexts.template >>> 1953:/home/melbi/bpfk_corpus(/.*)? >>> system_u:object_r:lojban_corpus_t:s0 >>> 2179:/home/melbi/public_html/cgi-bin/corpus.cgi >>> system_u:object_r:lojban_corpus_t:s0 >>> >>> /etc/selinux/targeted/modules/active/file_contexts >>> 1883:/home/melbi/bpfk_corpus(/.*)? >>> system_u:object_r:lojban_corpus_t:s0 >>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi >>> system_u:object_r:lojban_corpus_t:s0 >>> >>> /etc/selinux/targeted/contexts/files/file_contexts >>> 1883:/home/melbi/bpfk_corpus(/.*)? >>> system_u:object_r:lojban_corpus_t:s0 >>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi >>> system_u:object_r:lojban_corpus_t:s0 >>> >>> This doesn't appear to actually *work*; as far as I can tell >>> the contexts for the home directory itself are winning: >>> >>> rlpowell@vrici> ls -lZ ~melbi/bpfk_corpus drwxrwxrwx. melbi >>> melbi user_u:object_r:user_home_t:s0 files/ -rw-r--r--. >>> melbi melbi user_u:object_r:user_home_t:s0 selmaho.txt >>> drwxrwxrwx. melbi melbi user_u:object_r:user_home_t:s0 tmp/ >>> -rw-r--r--. apache apache user_u:object_r:user_home_t:s0 >>> urls.db -rw-rw-rw-. melbi melbi user_u:object_r:user_home_t:s0 >>> urls.not.db >>> >>> (that's after a restorecon) >>> >>> Can I do anything to change that? >>> >>> -Robin >>> >> >> >> HOMEDIR takes precedence over modules policy. >> >> Try >> >> HOME_DIR/bpfk_corpus(/.*)? >> gen_context(system_u:object_r:lojban_corpus_t,s0) > > Which will affect everybody, which is kind of icky. Better than > nothing, I guess. Thanks. > > -Robin > I am going to write a blog on this. Your other option is to use semanage rather then a module. Search order on matching is semanage fcontext MODULECONTAINING HOMEDIR MODULE containing file context. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mW0cACgkQrlYvE4MpobNwXACeIGp7XkqrjFDPkVOtTJBl7h7i 31gAoJKJtwIEBnVPNOJ/gFUAAo5FjT/+ =5T0A -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
