priority between file context rules

Daniel J Walsh dwalsh at redhat.com
Mon Nov 18 16:11:38 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/18/2013 09:35 AM, Vidalie Hervé wrote:
> This will unfortunately put an unwanted type on some subdirectories (for
> example on /WEBS/client/service/conf) and won't set the type
> httpd_sys_content_t on my untyped files.
> 
> -----Message d'origine----- De : Dominick Grift
> [mailto:dominick.grift at gmail.com] Envoyé : lundi 18 novembre 2013 15:28 À :
> Vidalie Hervé Cc : selinux at lists.fedoraproject.org Objet : Re: priority
> between file context rules
> 
> 
> On Mon, 2013-11-18 at 15:22 +0100, Vidalie Hervé wrote:
> 
>> I would like to set a default type on /WEBS and his subfolders: semanage
>> fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?' restorecon -Rv /WEBS* 
>> However, this command sets the type httpd_sys_content_t recursively on
>> everything in /WEBS What is the priority between file context rules? I
>> thought more precise rules will prevail on others.
> 
> I can't answer your last question since i was under the same impression 
> but:
> 
> You can use:
> 
> semanage fcontext -m -t httpd_sys_content_t -f -d '/WEBS(/.*)?'
> 
> To modify the spec to make it apply to directories only (note the -f -d)
> 
> 
> Ce message et les pièces jointes sont confidentiels et réservés à l'usage
> exclusif de ses destinataires. Il peut également être protégé par le secret
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir
> immédiatement l'expéditeur et de le détruire. L'intégrité du message ne
> pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra
> être recherchée quant au contenu de ce message. Bien que les meilleurs
> efforts soient faits pour maintenir cette transmission exempte de tout
> virus, l'expéditeur ne donne aucune garantie à cet égard et sa
> responsabilité ne saurait être recherchée pour tout dommage résultant d'un
> virus transmis.
> 
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its
> integrity cannot be secured on the Internet, the Worldline liability cannot
> be triggered for the message content. Although the sender endeavours to
> maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted. -- selinux mailing list 
> selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Local changes will win.  Which is what you are seeing.  I think there is an
open bug on last change winning, when adding file context.  So you want to add
your general change first.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKPDoACgkQrlYvE4MpobM9cwCeIQ+azFOjqWcDxRj21ABx0A+4
F5cAoOps9J/P6TjRdQ3qodLbW46ZOm05
=Lb6R
-----END PGP SIGNATURE-----

More information about the selinux mailing list