• 1
Thank you, Dan!

This is a feature that I really want it in SELinux. Now is very easy for me to use my own custom programs compiled from source and installed in other ---prefix directory. It is a very common task for sysadmins who have to do it. Now I have to upgrade my box to Fedora 11 :-)

override for exceptions

Fedora Core 23.

My MLS policy has an equivalency of /usr/lib/64 <=> /usr/lib.

But, the file /usr/lib64/gconv/gconv-modules.cache somehow ended up unlabeled_t.

I tried to do:

semanage fcontext -a -t lib_t /usr/lib64/gconv/gconv-modules.cache

But, I run into this error and cannot get around it:

ValueError: File spec /usr/lib64/gconv/gconv-modules.cache conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/gconv/gconv-modules.cache' instead


Re: override for exceptions

File labeling and file creation are two different things. File Labeling rules set up the default. But objects created on a file system do not necessarily match the default labels. Some tools like rpm and restorecon read the file labels and create their content with the correct label, or change the label back to the default.

Their are many blogs that explain how files get labeled on creation. unlabeled_t means that the file has never been labeled, or is labeled with a label, the kernel does not understand.

Running restorecon -R -f /usr/lib64 should fix the labels.

  • 1
?

Log in