Precidence of lookups from /etc/selinux/targeted/contexts/files/file_contexts.local

William Hargrove William.Hargrove at ig.com
Fri Nov 21 14:59:15 UTC 2014 

Hello All,

Using 'semanage fcontext' two entries have been added into the file_context.local file. The first entry sets '/var/me/logs/webServer(/.*)?' to httpd_log_t and the second sets '/var/me/logs(/.*)?' to var_log_t. This can be seen below.

cat /etc/selinux/targeted/contexts/files/file_contexts.local

/var/me/logs/webServer(/.*)?    system_u:object_r:httpd_log_t:s0
[snip]
/var/me/logs(/.*)?    system_u:object_r:var_log_t:s0

How I must be misunderstanding what the order of precedence with respect to the lookups is. I had thought that the most specific match would have been used, so given the config above, I would expect the lookup below to yield httpd_log_t, and not var_log_t for /var/me/logs/webServer/x.

UAT [root at test webServer]$ matchpathcon /var/me/logs/webServer/x
/var/me/logs/webServer/x        system_u:object_r:var_log_t

If I were to manually re-order this file and place /var/me/logs above /var/me/logs/webserver then I get the desired result. However this requires me to know the order of all the entries up front, and if something  less specific gets added later, it would seem this would also take precedence as well.

What is the correct way to ensure that lookups work as I would expect, namely that regardless of the order in which the rules are added, /var/me/logs/webserver -> httpd_log_t and /var/me/logs -> var_log_t.

Many thanks, Will.
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141121/f32e31cb/attachment.html>

More information about the selinux mailing list