|
Hi, If we adopt role_transition rules for non-process classes then how we could have restorecon or matchpathcon tools properly recognize them? So far these tools could only read from file_contexts, or file_contexts.homedirs or file_contexts.local files and they only knows that the role for non-process class objects to be "object_r". Suppose we have below role_transition rule: role_transition sysadm_r user_home_t:{ file dir } sysadm_r; Which means any objects of the file or dir classes created in a parent directory with type as user_home_t by the sysadm_r would have sysadm_r as the objects' role. Since it is hard to know: 1. The path of such parent directories, and 2. The seuser that is assuming the sysadm_r role; It would be impossible to use "semanage fcontext -a" command to specify special security contexts for files at run-time, nor add relevant rules in the related .fc files(so as to prevent restorecon to relabel the ob! ject's role to "object_r"). Comments? Thanks! Harry |
