Ordering of file context choices?

Robin Lee Powell rlpowell at digitalkingdom.org
Tue Sep 6 17:10:33 UTC 2011 

On Tue, Sep 06, 2011 at 10:13:37AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/04/2011 10:49 PM, Robin Lee Powell wrote:
> > I have a custom module installed that is supposed to set file 
> > contexts for some stuff in a user's homedir (the CGI application I 
> > mentioned in my last email, that I want the user to be able to 
> > administer):
> > 
> > /etc/selinux/targeted/modules/active/file_contexts.template 
> > 1953:/home/melbi/bpfk_corpus(/.*)?
> > system_u:object_r:lojban_corpus_t:s0 
> > 2179:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_u:object_r:lojban_corpus_t:s0
> > 
> > /etc/selinux/targeted/modules/active/file_contexts 
> > 1883:/home/melbi/bpfk_corpus(/.*)?
> > system_u:object_r:lojban_corpus_t:s0 
> > 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_u:object_r:lojban_corpus_t:s0
> > 
> > /etc/selinux/targeted/contexts/files/file_contexts 
> > 1883:/home/melbi/bpfk_corpus(/.*)?
> > system_u:object_r:lojban_corpus_t:s0 
> > 2101:/home/melbi/public_html/cgi-bin/corpus.cgi
> > system_u:object_r:lojban_corpus_t:s0
> > 
> > This doesn't appear to actually *work*; as far as I can tell the 
> > contexts for the home directory itself are winning:
> > 
> > rlpowell at vrici> ls -lZ ~melbi/bpfk_corpus
> >  drwxrwxrwx. melbi  melbi  user_u:object_r:user_home_t:s0   files/ 
> > -rw-r--r--. melbi  melbi  user_u:object_r:user_home_t:s0
> > selmaho.txt drwxrwxrwx. melbi  melbi
> > user_u:object_r:user_home_t:s0   tmp/ -rw-r--r--. apache apache
> > user_u:object_r:user_home_t:s0   urls.db -rw-rw-rw-. melbi  melbi
> > user_u:object_r:user_home_t:s0   urls.not.db
> > 
> > (that's after a restorecon)
> > 
> > Can I do anything to change that?
> > 
> > -Robin
> > 
> 
> 
> HOMEDIR takes precedence over modules policy.
> 
> Try
> 
> HOME_DIR/bpfk_corpus(/.*)?
> gen_context(system_u:object_r:lojban_corpus_t,s0)

Which will affect everybody, which is kind of icky.  Better than
nothing, I guess.  Thanks.

-Robin

-- 
http://singinst.org/ :  Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei".   My personal page: http://www.digitalkingdom.org/rlp/

More information about the selinux mailing list