File contexts again

Paul Howarth paul at city-fan.org
Wed May 31 16:50:08 UTC 2006 

Christopher Ashworth wrote:
> On Wed, 2006-05-31 at 17:00 +0100, Paul Howarth wrote:
>>> When matching file contexts, the file_contexts.homedirs contexts are
>>> appended to the main file_contexts contexts, so they have priority.
>> Is there some reason why "semanage fcontext -l" does not include these?
> 
> Hmmm...I don't know off the top of my head--it certainly doesn't sound
> like desirable behavior.  Anyone who's been around longer than me know
> if this is desired or a bug?  I'll look to see where the homedirs are
> omitted during the listing by libsemange.

Thanks.

>>> The contexts for user user_u include:
>>>
>>> /home/[^/]*/.+     user_u:object_r:user_home_t:s0
>>> /home/[^/]*     -d   user_u:object_r:user_home_dir_t:s0
>>>
>>> which is why your file is getting that context, even though you do not
>>> have an actual user with the home directory /home/pgsql.
>> I thought they'd only have priority by means of their position at the 
>> end of the list if all other sorting criteria were equal? So the fact 
>> that /home/pgsql/data(/.*)? for instance has a longer stem than 
>> /home/[^/]*/.+ should have given it precedence?
> 
> Once the sort is done during the original generation of the files, and
> the files have been spit out, no additional sorting occurs.  So sticking
> the homedirs contexts at the end of the list when looking for a match
> means that every homedir context is checked for a match first, before
> any other context is checked.

Hmm, that doesn't explain why file contexts that aren't regexes do 
actually work. So if I have:

/home/pgsql/pgstartup\.log      -- 
gen_context(system_u:object_r:postgresql_log_t,s0)

this actually works as expected, even though the /home/[^/]*/.+ homedir 
context also matches.

>>> You can prefix your file context path expression with a template keyword
>>> to place it in the file_context.homedirs file.
>> Wouldn't that result in all /home/*/data directories and everything 
>> underneath them being labelled postgresql_db_t, not just /home/pgsql/data?
> 
> Yes, you are right.  Unfortunately, I don't think there is any way
> around this at the moment.  Anything with the "/home/" prefix will get
> caught by the per-user contexts, and so trying to label files below
> "/home/" in a non-per-user way (for lack of a better term), won't work.
> As I understand it, you'll have to move it to a different location.

Actually this isn't my problem - I'm trying to help someone else. If it 
was me I'd just bind mount /home/pgsql on /var/lib/pgsql and there 
wouldn't be an issue...

Paul.

More information about the fedora-selinux-list mailing list