Greetings,
I have a custom policy that has a label for a directory and all its contents, except for one specific sub-directory that uses a more specific type. When a file is created in that sub-directory, it gets the general label instead of the specific one.
It looks wrong, and at least restorecon seems to agree because it will happily relabel the offending file, meeting my expectations. I must be doing something wrong, probably missing something, but I have no idea what.
Or could it be a bug? The kernel module could be evaluating rules in a different order, hence the discrepancy at file creation time. In my policy file contexts are sorted from least to most specific.
Anyway, I can't share that, so I made a minimal reproducer:
https://github.com/dridi/selinux-lostlabel
Any help appreciated, I tried really hard to understand what is going on, to no avail. The only similar search result was wrong labels in home directories showing up in several places but I couldn't find my nugget there.
I initially sent an email and it's not showing up in the archive, so instead I subscribed to the list and started a new thread using the Hyperkitty interface. Apologies in advance if you receive it twice.
Thanks, Dridi
On Thu, May 25, 2023 at 2:16 PM Dridi Boukelmoune < dridi.boukelmoune@gmail.com> wrote:
Greetings,
I have a custom policy that has a label for a directory and all its contents, except for one specific sub-directory that uses a more specific type. When a file is created in that sub-directory, it gets the general label instead of the specific one.
It looks wrong, and at least restorecon seems to agree because it will happily relabel the offending file, meeting my expectations. I must be doing something wrong, probably missing something, but I have no idea what.
Or could it be a bug? The kernel module could be evaluating rules in a different order, hence the discrepancy at file creation time. In my policy file contexts are sorted from least to most specific.
Anyway, I can't share that, so I made a minimal reproducer:
https://github.com/dridi/selinux-lostlabel
Any help appreciated, I tried really hard to understand what is going on, to no avail. The only similar search result was wrong labels in home directories showing up in several places but I couldn't find my nugget there.
I initially sent an email and it's not showing up in the archive, so instead I subscribed to the list and started a new thread using the Hyperkitty interface. Apologies in advance if you receive it twice.
Hi,
Not sure if I understand properly, but I believe what you need is a file transition, defined for the domain which is to create the directory with a different type, otherwise inheritance applies. File context database is only a static database for use by commands like restorecon or matchpathcon.
Hi,
Not sure if I understand properly, but I believe what you need is a file transition, defined for the domain which is to create the directory with a different type, otherwise inheritance applies. File context database is only a static database for use by commands like restorecon or matchpathcon.
So my first hypothesis was correct, I was missing something. I already have some in my policy, I will review them and see what may be missing.
Thanks, Dridi
selinux@lists.fedoraproject.org