There seems to be a very strong preference by the policy to label files and directories under a home directory to user_home_t. I would like to override that for a particular directory structure. I have the following directory with many other files and directories below it: /opt/home/oracle/product/10.2.0 Many of files are libraries, which I would like to label lib_t and shlib_t. As a specific example I have the following two files: # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql* -r-xr-xr-x oracle oinstall user_u:object_r:user_home_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so -r-xr-xr-x oracle oinstall user_u:object_r:user_home_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so If I add the following file context line to my policy without any regex wildcard chars, it works. The libsqlplus.so file is properly labeled as shlib_t. /opt/home/oracle/product/10\.2\.0/lib32/libsqlplus\.so -- gen_context(system_u:object_r:shlib_t,__SYSTEMLOW__) # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql* -r-xr-xr-x oracle oinstall user_u:object_r:user_home_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so -r-xr-xr-x oracle oinstall system_u:object_r:shlib_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so However, if I add any regex wildcard chars, the label reverts back to the default user_home_t context. For example, with the following modification to the above file context line: /opt/home/oracle/product/10\.2\.0/lib32/libsqlplus.*\.so -- gen_context(system_u:object_r:shlib_t,__SYSTEMLOW__) # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql* -r-xr-xr-x oracle oinstall user_u:object_r:user_home_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so -r-xr-xr-x oracle oinstall user_u:object_r:user_home_t:SystemLow /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so Being that this is a large directory structure with lots of files, I do not want to have to label each one explicitly, without the use of regex wildcards. My understanding is that the policy should apply the most specific file context line. But that does not appear to be what is happening in this case. Is there some way to override this strong preference to label files under a home directory as user_home_t? I'm using the rhel5.1 mls policy Any help would be greatly appreciated. Thanks, Mike -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
