8:59 a.m.
Hello All,
Using 'semanage fcontext' two entries have been added into the file_context.local
file. The first entry sets '/var/me/logs/webServer(/.*)?' to httpd_log_t and the
second sets '/var/me/logs(/.*)?' to var_log_t. This can be seen below.
cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/me/logs/webServer(/.*)? system_u:object_r:httpd_log_t:s0
[snip]
/var/me/logs(/.*)? system_u:object_r:var_log_t:s0
How I must be misunderstanding what the order of precedence with respect to the lookups
is. I had thought that the most specific match would have been used, so given the config
above, I would expect the lookup below to yield httpd_log_t, and not var_log_t for
/var/me/logs/webServer/x.
UAT [root@test webServer]$ matchpathcon /var/me/logs/webServer/x
/var/me/logs/webServer/x system_u:object_r:var_log_t
If I were to manually re-order this file and place /var/me/logs above
/var/me/logs/webserver then I get the desired result. However this requires me to know the
order of all the entries up front, and if something less specific gets added later, it
would seem this would also take precedence as well.
What is the correct way to ensure that lookups work as I would expect, namely that
regardless of the order in which the rules are added, /var/me/logs/webserver ->
httpd_log_t and /var/me/logs -> var_log_t.
Many thanks, Will.
The information contained in this email is strictly confidential and for the use of the
addressee only, unless otherwise indicated. If you are not the intended recipient, please
do not read, copy, use or disclose to others this message or any attachment. Please also
notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then
delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to
the official business of this company shall be understood as neither given nor endorsed by
it. IG is a trading name of IG Markets Limited (a company registered in England and Wales,
company number 04008957) and IG Index Limited (a company registered in England and Wales,
company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill,
London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited
(register number 114059) are authorised and regulated by the Financial Conduct Authority.
9:45 a.m.
On 11/21/2014 09:59 AM, William Hargrove wrote:
Hello All,
Using ‘semanage fcontext’ two entries have been added into the
file_context.local file. The first entry sets
‘/var/me/logs/webServer(/.*)?’ to httpd_log_t and the second sets
‘/var/me/logs(/.*)?’ to var_log_t. This can be seen below.
cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/me/logs/webServer(/.*)? system_u:object_r:httpd_log_t:s0
[snip]
/var/me/logs(/.*)? system_u:object_r:var_log_t:s0
How I must be misunderstanding what the order of precedence with
respect to the lookups is. I had thought that the most specific match
would have been used, so given the config above, I would expect the
lookup below to yield httpd_log_t, and not var_log_t for
/var/me/logs/webServer/x.
UAT [root@test webServer]$ matchpathcon /var/me/logs/webServer/x
/var/me/logs/webServer/x system_u:object_r:var_log_t
If I were to manually re-order this file and place /var/me/logs above
/var/me/logs/webserver then I get the desired result. However this
requires me to know the order of all the entries up front, and if
something less specific gets added later, it would seem this would
also take precedence as well.
What is the correct way to ensure that lookups work as I would expect,
namely that regardless of the order in which the rules are added,
/var/me/logs/webserver -> httpd_log_t and /var/me/logs -> var_log_t.
The precedence operations do not apply to the local modifications, this
is a long outstanding bug. Local operations apply in order, with the
last one winning I believe. If you were to put these file context into a
module, then the
you would get what you expect.
Many thanks, Will.
The information contained in this email is strictly confidential and
for the use of the addressee only, unless otherwise indicated. If you
are not the intended recipient, please do not read, copy, use or
disclose to others this message or any attachment. Please also notify
the sender by replying to this email or by telephone (+44(020 7896
0011) and then delete the email and any copies of it. Opinions,
conclusion (etc) that do not relate to the official business of this
company shall be understood as neither given nor endorsed by it. IG is
a trading name of IG Markets Limited (a company registered in England
and Wales, company number 04008957) and IG Index Limited (a company
registered in England and Wales, company number 01190902). Registered
address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both
IG Markets Limited (register number 195355) and IG Index Limited
(register number 114059) are authorised and regulated by the Financial
Conduct Authority.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3443
days inactive
3443
days old
selinux@lists.fedoraproject.org
1 comments
2 participants
participants (2)
-
Daniel J Walsh -
William Hargrove