Tired of ads? Upgrade to paid account and never see ads again!


Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
File Context Equivalency
New minor feature in semanage (policycoreutils-2.0.62-8.fc11).

I have added the ability to setup equivalency in labeling.  The idea is to allow an administrator to say, instead of using /var/www for my html content I want to use /srv/www.  So you can execute the command

# semanage fcontext -a -e /var/www /srv/www

This command updates the /etc/selinux/POLICY/contexts/files/files_context.subs file.

A new version of libselinux is out that reads this file and does the substitution when ever the matchpathcon function is called.  So restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

This could allow us to eventually get rid of genhomedircon, since the administrator can now tell SELinux that I want to label an alternate home directory the same as /home.

# semanage fcontext -a -e /home /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

To modify the file context you can use the -m
# semanage fcontext -m -e /home1 /export/home

To delete the equivalency just use the standard -d qualifier.

# semanage fcontext -d /export/home

Listing the equivalency

# semanage fcontext -l -C

SELinux fcontext Equivalence

/export/home == /home
/srv/web == /var/www

No HTML allowed in subject


(will be screened)

You are viewing danwalsh