File contexts and how are files labeled?
Murray McAllister
mmcallis at redhat.com
Mon Oct 27 22:13:06 UTC 2008
Timothy Renner wrote:
> First off, thanks for the answers about finding out the SELinux
> transactions... autrace was the way to go.... Now I have a more
> fundamental problem... In the file context labels, there are two rules
> that conflict:
>
> /sbin/.* all files system_u:object_r:bin_t:s0
>
> and
>
> /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0
>
> The problem though is that the file gets labeled under the blanket
> /sbin/.* context, rather than the more specific one:
>
> > ls -lZ /sbin/mount.mymounter
> lrwxrwxrwx root root system_u:object_r:bin_t
> /sbin/mount.mymounter -> /myproject/sbin/mymounter
I tried this on Fedora Rawhide and it worked. I also have your /sbin/*
rule. Did you run "restorecon /sbin/mount.mymounter" after adding the rule?
I don't know how this works for symbolic links. You might have to add a
rule (and run restorecon) for /myproject/sbin/mymounter
>
> Any thoughts on this? Can someone explain how the file context is
> derived from the rules? Is it as simple as whichever matches first?
> And does anyone know a way around this labeling problem, assuming I
> cannot remove the /sbin/.* rule, but can only add rules through a policy
> module.
> Thanks again,
> -Tim
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list