Hello All,
Using 'semanage fcontext' two entries have been added into the file_context.local file. The first entry sets '/var/me/logs/webServer(/.*)?' to httpd_log_t and the second sets '/var/me/logs(/.*)?' to var_log_t. This can be seen below.
cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/me/logs/webServer(/.*)? system_u:object_r:httpd_log_t:s0 [snip] /var/me/logs(/.*)? system_u:object_r:var_log_t:s0
How I must be misunderstanding what the order of precedence with respect to the lookups is. I had thought that the most specific match would have been used, so given the config above, I would expect the lookup below to yield httpd_log_t, and not var_log_t for /var/me/logs/webServer/x.
UAT [root@test webServer]$ matchpathcon /var/me/logs/webServer/x /var/me/logs/webServer/x system_u:object_r:var_log_t
If I were to manually re-order this file and place /var/me/logs above /var/me/logs/webserver then I get the desired result. However this requires me to know the order of all the entries up front, and if something less specific gets added later, it would seem this would also take precedence as well.
What is the correct way to ensure that lookups work as I would expect, namely that regardless of the order in which the rules are added, /var/me/logs/webserver -> httpd_log_t and /var/me/logs -> var_log_t.
Many thanks, Will. The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
On 11/21/2014 09:59 AM, William Hargrove wrote:
Hello All,
Using ‘semanage fcontext’ two entries have been added into the file_context.local file. The first entry sets ‘/var/me/logs/webServer(/.*)?’ to httpd_log_t and the second sets ‘/var/me/logs(/.*)?’ to var_log_t. This can be seen below.
cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/me/logs/webServer(/.*)? system_u:object_r:httpd_log_t:s0
[snip]
/var/me/logs(/.*)? system_u:object_r:var_log_t:s0
How I must be misunderstanding what the order of precedence with respect to the lookups is. I had thought that the most specific match would have been used, so given the config above, I would expect the lookup below to yield httpd_log_t, and not var_log_t for /var/me/logs/webServer/x.
UAT [root@test webServer]$ matchpathcon /var/me/logs/webServer/x
/var/me/logs/webServer/x system_u:object_r:var_log_t
If I were to manually re-order this file and place /var/me/logs above /var/me/logs/webserver then I get the desired result. However this requires me to know the order of all the entries up front, and if something less specific gets added later, it would seem this would also take precedence as well.
What is the correct way to ensure that lookups work as I would expect, namely that regardless of the order in which the rules are added, /var/me/logs/webserver -> httpd_log_t and /var/me/logs -> var_log_t.
The precedence operations do not apply to the local modifications, this is a long outstanding bug. Local operations apply in order, with the last one winning I believe. If you were to put these file context into a module, then the you would get what you expect.
Many thanks, Will.
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org