On Fri, Jun 7, 2019 at 5:26 PM Marko Rauhamaa <marko@xxxxxxxxxx> wrote: > More interestingly, how do I override the distro transition rule so > that the file context rule takes precedence? You don’t. When a file is created, the creation/transition policy applies; when you run restorecon on a file, the file context policy applies. > Based on some extensive googling, I gather I will need an > > file_type_auto_trans > > declaration. Even some more digging makes me guess this directive > needs to go in a .te file although it would be nice to find a direct > answer in the documentation. You can look at the reference policy in Github to see how to write type transitions. But it’s probably not going to help you here. Unlike file contexts, type transitions are exact, and cannot conflict. If your custom module contains a file transitions that conflicts with a preexisting transition, SELinux will refuse to load your module. See: https://selinuxproject.org/page/NB_Domain_and_Object_Transitions If you think your distro’s file transitions are too zealous, and are transitioning new files to the antivirus_db_t context that aren’t actually antivirus database files, then you should file a bug report against the distro and get the problem fixed in the upstream policy. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx