Ian Pilcher <arequipeno@xxxxxxxxx> writes:
> # semanage fcontext -l | grep /run/acg
> /run/acg-httpd-reload all files system_u:object_r:acg_var_run_t:s0
>
> # ls -Z /run/acg-httpd-reload
> system_u:object_r:var_run_t:s0 /run/acg-httpd-reload
>
> # restorecon /run/acg-httpd-reload
>
> # ls -Z /run/acg-httpd-reload
> system_u:object_r:var_run_t:s0 /run/acg-httpd-reload
>
> What in the world am I doing wrong?
>
> (This rule is part of a policy module, and all of the other rules in the
> module work just fine.)
>
In Fedora there's an equal rule which substitutes /run to /var/run
before a label is generated:
# semanage fcontext -l
...
SELinux Distribution fcontext Equivalence
/run = /var/run
.i.e you need to specify fc rule using /var/run/... SPEC as /run/...
SPEC is overridden by the equal rule:
# echo '(filecon "/run/myrpmvarrunt" file (system_u object_r rpm_var_run_t ((s0) (s0))))' > myrpmvarrunt.cil
# semodule -i myrpmvarrunt.cil
# selabel_lookup -b file -k /run/myrpmvarrunt
Default context: system_u:object_r:var_run_t:s0
# echo '(filecon "/var/run/myrpmvarrunt" file (system_u object_r rpm_var_run_t ((s0) (s0))))' > myrpmvarrunt.cil
# semodule -i myrpmvarrunt.cil
# selabel_lookup -b file -k /run/myrpmvarrunt
Default context: system_u:object_r:rpm_var_run_t:s0
