[selinux] Re: Ordering of file context choices?
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 6 17:53:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2011 01:44 PM, Robin Lee Powell wrote:
> On Tue, Sep 06, 2011 at 01:41:27PM -0400, Daniel J Walsh wrote:
>>
>> I am going to write a blog on this.
>
> Oh that would be lovely!
>
>> Your other option is to use semanage rather then a module.
>> Search order on matching is
>>
>> semanage fcontext MODULECONTAINING HOMEDIR MODULE containing file
>> context.
>
> The problem there is that semanage has no concept of "I want this
> to go here in the ordering"; it's last-come-first-served, which
> makes it really hard to deal with from Puppet, which is how I roll.
> If there was a way to say "insert this fcontext before this other
> one", that would fix it, but I don't see a way to do that.
>
> The nice thing about having it in a module is that I can specify
> the order.
>
> I suppose I could put things in
> /etc/selinux/targeted/contexts/files/file_contexts.local
> directly?, to handle the ordering, but it says not to.
>
> -Robin
>
As long as this is between you and me :^).
You could put your changes in
/etc/selinux/targeted/modules/active/file_contexts.local
and
/etc/selinux/targeted/contexts/files/file_contexts.local
Then you would be fine and a selinux-policy update would not destroy
your local changes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5mXiUACgkQrlYvE4MpobMYfACgugAgvuK6p/TCYzO9wjWAWiMs
op4Anj1Ea6agR7lMEEq/pMEQAnACFZ3g
=g7Us
-----END PGP SIGNATURE-----
More information about the selinux
mailing list