priority between file context rules
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 18 16:11:38 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/18/2013 09:35 AM, Vidalie Hervé wrote:
> This will unfortunately put an unwanted type on some subdirectories (for
> example on /WEBS/client/service/conf) and won't set the type
> httpd_sys_content_t on my untyped files.
>
> -----Message d'origine----- De : Dominick Grift
> [mailto:dominick.grift at gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À :
> Vidalie Hervé Cc : selinux at lists.fedoraproject.org Objet : Re: priority
> between file context rules
>
>
> On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
>
>> I would like to set a default type on /WEBS and his subfolders: semanage
>> fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS*
>> However, this command sets the type httpd_sys_content_t recursively on
>> everything in /WEBS What is the priority between file context rules? I
>> thought more precise rules will prevail on others.
>
> I can't answer your last question since i was under the same impression
> but:
>
> You can use:
>
> semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
>
> To modify the spec to make it apply to directories only (note the -f -d)
>
>
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
>
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its
> integrity cannot be secured on the Internet, the Worldline liability cannot
> be triggered for the message content. Although the sender endeavours to
> maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted. -- selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Local changes will win. Which is what you are seeing. I think there is an
open bug on last change winning, when adding file context. So you want to add
your general change first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKPDoACgkQrlYvE4MpobM9cwCeIQ+azFOjqWcDxRj21ABx0A+4
F5cAoOps9J/P6TjRdQ3qodLbW46ZOm05
=Lb6R
-----END PGP SIGNATURE-----
More information about the selinux
mailing list