Previous Entry Share Next Entry
File Context Equivalency
danwalsh
New minor feature in semanage (policycoreutils-2.0.62-8.fc11).

I have added the ability to setup equivalency in labeling.  The idea is to allow an administrator to say, instead of using /var/www for my html content I want to use /srv/www.  So you can execute the command

# semanage fcontext -a -e /var/www /srv/www

This command updates the /etc/selinux/POLICY/contexts/files/files_context.subs file.

A new version of libselinux is out that reads this file and does the substitution when ever the matchpathcon function is called.  So restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

This could allow us to eventually get rid of genhomedircon, since the administrator can now tell SELinux that I want to label an alternate home directory the same as /home.

# semanage fcontext -a -e /home /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

To modify the file context you can use the -m
# semanage fcontext -m -e /home1 /export/home

To delete the equivalency just use the standard -d qualifier.

# semanage fcontext -d /export/home


Listing the equivalency

# semanage fcontext -l -C

SELinux fcontext Equivalence

/export/home == /home
/srv/web == /var/www

  • 1
Thank you, Dan!

This is a feature that I really want it in SELinux. Now is very easy for me to use my own custom programs compiled from source and installed in other ---prefix directory. It is a very common task for sysadmins who have to do it. Now I have to upgrade my box to Fedora 11 :-)

override for exceptions

Fedora Core 23.

My MLS policy has an equivalency of /usr/lib/64 <=> /usr/lib.

But, the file /usr/lib64/gconv/gconv-modules.cache somehow ended up unlabeled_t.

I tried to do:

semanage fcontext -a -t lib_t /usr/lib64/gconv/gconv-modules.cache

But, I run into this error and cannot get around it:

ValueError: File spec /usr/lib64/gconv/gconv-modules.cache conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/gconv/gconv-modules.cache' instead


Re: override for exceptions

File labeling and file creation are two different things. File Labeling rules set up the default. But objects created on a file system do not necessarily match the default labels. Some tools like rpm and restorecon read the file labels and create their content with the correct label, or change the label back to the default.

Their are many blogs that explain how files get labeled on creation. unlabeled_t means that the file has never been labeled, or is labeled with a label, the kernel does not understand.

Running restorecon -R -f /usr/lib64 should fix the labels.

  • 1
?

Log in