On 08/24/2015 11:15 AM, Stephen Smalley wrote: > On 08/17/2015 07:42 PM, Bond Masuda wrote: >> We want to add some custom file contexts for certain directories, in >> particular we have /audit as a separate partition and run this: >> >> chroot /mnt/root semanage fcontext -a -t auditd_log_t "/audit(/.*)?" >> >> To make sure auditd works. This is run with chroot because the system >> we're modifying is not running and mounted at /mnt/root. This creates >> the file_contexts.local file with this content: >> >> # This file is auto-generated by libsemanage >> # Do not edit directly. >> >> /audit(/.*)? system_u:object_r:auditd_log_t:s0 >> >> Later on, when we boot that system that was in /mnt/root, the >> file_contexts.local remains the same. However, if I run semanage to add >> another record, for example (this time, not in chroot): >> >> semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?" >> >> It creates the content for httpd_sys_content_t in file_contexts.local, >> but overwrites the previous entry for auditd_log_t. >> >> If I add the auditd_log_t entry once again, _both_ entries are now >> present in file_contexts.local. So, it seems that the 1st time I run >> semanage fcontext -a _while_ the system is running, it is not aware of >> the content that was added when I ran semanage fcontext -a when the >> system was offline and mounted in /mnt/root. >> >> Does semanage maintain state somewhere other than in the >> file_contexts.local file? How can I make sure it is aware of the content >> in file_contexts.local that was created by semanage when it was run in >> chroot? > This sounds like a bug to me. What version of libsemanage and > policycoreutils are you using, as this may be version-specific? > > The versions are: libsemanage-2.0.43-5.1.el6.x86_64 libsemanage-python-2.0.43-5.1.el6.x86_64 policycoreutils-2.0.83-24.el6.x86_64 policycoreutils-python-2.0.83-24.el6.x86_64 Thanks, -Bond _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
