Ordering of file context choices?

Daniel J Walsh dwalsh at redhat.com
Tue Sep 6 17:41:27 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 01:10 PM, Robin Lee Powell wrote:
> On Tue, Sep 06, 2011 at 10:13:37AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 09/04/2011 10:49 PM, Robin Lee Powell wrote:
>>> I have a custom module installed that is supposed to set file 
>>> contexts for some stuff in a user's homedir (the CGI
>>> application I mentioned in my last email, that I want the user
>>> to be able to administer):
>>> 
>>> /etc/selinux/targeted/modules/active/file_contexts.template 
>>> 1953:/home/melbi/bpfk_corpus(/.*)? 
>>> system_u:object_r:lojban_corpus_t:s0 
>>> 2179:/home/melbi/public_html/cgi-bin/corpus.cgi 
>>> system_u:object_r:lojban_corpus_t:s0
>>> 
>>> /etc/selinux/targeted/modules/active/file_contexts 
>>> 1883:/home/melbi/bpfk_corpus(/.*)? 
>>> system_u:object_r:lojban_corpus_t:s0 
>>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi 
>>> system_u:object_r:lojban_corpus_t:s0
>>> 
>>> /etc/selinux/targeted/contexts/files/file_contexts 
>>> 1883:/home/melbi/bpfk_corpus(/.*)? 
>>> system_u:object_r:lojban_corpus_t:s0 
>>> 2101:/home/melbi/public_html/cgi-bin/corpus.cgi 
>>> system_u:object_r:lojban_corpus_t:s0
>>> 
>>> This doesn't appear to actually *work*; as far as I can tell
>>> the contexts for the home directory itself are winning:
>>> 
>>> rlpowell at vrici> ls -lZ ~melbi/bpfk_corpus drwxrwxrwx. melbi
>>> melbi  user_u:object_r:user_home_t:s0   files/ -rw-r--r--.
>>> melbi  melbi  user_u:object_r:user_home_t:s0 selmaho.txt
>>> drwxrwxrwx. melbi  melbi user_u:object_r:user_home_t:s0   tmp/
>>> -rw-r--r--. apache apache user_u:object_r:user_home_t:s0
>>> urls.db -rw-rw-rw-. melbi  melbi user_u:object_r:user_home_t:s0
>>> urls.not.db
>>> 
>>> (that's after a restorecon)
>>> 
>>> Can I do anything to change that?
>>> 
>>> -Robin
>>> 
>> 
>> 
>> HOMEDIR takes precedence over modules policy.
>> 
>> Try
>> 
>> HOME_DIR/bpfk_corpus(/.*)? 
>> gen_context(system_u:object_r:lojban_corpus_t,s0)
> 
> Which will affect everybody, which is kind of icky.  Better than 
> nothing, I guess.  Thanks.
> 
> -Robin
> 

I am going to write a blog on this.

Your other option is to use semanage rather then a module.  Search
order on matching is

semanage fcontext
MODULECONTAINING HOMEDIR
MODULE containing file context.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mW0cACgkQrlYvE4MpobNwXACeIGp7XkqrjFDPkVOtTJBl7h7i
31gAoJKJtwIEBnVPNOJ/gFUAAo5FjT/+
=5T0A
-----END PGP SIGNATURE-----

More information about the selinux mailing list