File contexts and how are files labeled?
Bruno Wolff III
bruno at wolff.to
Tue Oct 28 04:55:06 UTC 2008
On Mon, Oct 27, 2008 at 14:34:40 -0700,
Timothy Renner <timothy.renner at gmail.com> wrote:
>
> Any thoughts on this? Can someone explain how the file context is
> derived from the rules? Is it as simple as whichever matches first?
> And does anyone know a way around this labeling problem, assuming I
> cannot remove the /sbin/.* rule, but can only add rules through a policy
> module.
The patterns are only used when relabelling. When files are created there
is a default context based on the domain of the process and the context
of the directory the file is being created in. Applications can also create
files with specific contexts.
I don't remember the relabelling priority. It is probably either the first
matching rule or the last matching rule as deciding which is more specific is
hard in general and that route probably wasn't chosen.
More information about the fedora-selinux-list
mailing list