On Thu, May 25, 2023 at 2:16 PM Dridi Boukelmoune <dridi.boukelmoune@xxxxxxxxx> wrote:
Greetings,
I have a custom policy that has a label for a directory and all its
contents, except for one specific sub-directory that uses a more
specific type. When a file is created in that sub-directory, it gets
the general label instead of the specific one.
It looks wrong, and at least restorecon seems to agree because it will
happily relabel the offending file, meeting my expectations. I must be
doing something wrong, probably missing something, but I have no idea
what.
Or could it be a bug? The kernel module could be evaluating rules in a
different order, hence the discrepancy at file creation time. In my
policy file contexts are sorted from least to most specific.
Anyway, I can't share that, so I made a minimal reproducer:
https://github.com/dridi/selinux-lostlabel
Any help appreciated, I tried really hard to understand what is going
on, to no avail. The only similar search result was wrong labels in
home directories showing up in several places but I couldn't find my
nugget there.
I initially sent an email and it's not showing up in the archive, so
instead I subscribed to the list and started a new thread using the
Hyperkitty interface. Apologies in advance if you receive it twice.
Hi,
Not sure if I understand properly, but I believe what you need is a file transition, defined for the domain which is to create the directory with a different type, otherwise inheritance applies. File context database is only a static database for use by commands like restorecon or matchpathcon.
--
Zdenek Pytela
Security SELinux team
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue