Tired of ads? Upgrade to paid account and never see ads again!


Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
File Context Equivalency
New minor feature in semanage (policycoreutils-2.0.62-8.fc11).

I have added the ability to setup equivalency in labeling.  The idea is to allow an administrator to say, instead of using /var/www for my html content I want to use /srv/www.  So you can execute the command

# semanage fcontext -a -e /var/www /srv/www

This command updates the /etc/selinux/POLICY/contexts/files/files_context.subs file.

A new version of libselinux is out that reads this file and does the substitution when ever the matchpathcon function is called.  So restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

This could allow us to eventually get rid of genhomedircon, since the administrator can now tell SELinux that I want to label an alternate home directory the same as /home.

# semanage fcontext -a -e /home /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

To modify the file context you can use the -m
# semanage fcontext -m -e /home1 /export/home

To delete the equivalency just use the standard -d qualifier.

# semanage fcontext -d /export/home

Listing the equivalency

# semanage fcontext -l -C

SELinux fcontext Equivalence

/export/home == /home
/srv/web == /var/www

Thank you, Dan!

This is a feature that I really want it in SELinux. Now is very easy for me to use my own custom programs compiled from source and installed in other ---prefix directory. It is a very common task for sysadmins who have to do it. Now I have to upgrade my box to Fedora 11 :-)

You are viewing danwalsh