Overriding default file contexts?

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 3 15:28:49 UTC 2006

On Mon, 2006-04-03 at 10:11 -0500, Ian Pilcher wrote:
> So 'semanage fcontext ...' is simply an interface to modify the policy
> contexts/files/file_contexts?  This is going to result in an rpmnew
> file whenever the policy is updated, right?

No.  That file is no longer provided by the policy package directly; it
is generated by libsemanage each time upon updates, and even policy
updates go through libsemanage now.  libsemanage merges local additions
(stored separately in the file_contexts.local file in the
modules/active/ subdirectory) with the policy-provided file into the
final file before installing it.

> It's just my opinion, but I think it would be very convenient for system
> administrators and packagers to have a simple mechanism to override the
> policy for specific files.

Yes, that's what semanage fcontext -a is for.  Or under FC4, you could
manually create and edit
a /etc/selinux/targeted/contexts/file/file_contexts.local file.

Stephen Smalley
National Security Agency

