Nice. Is it limited to whole filenames, or can I set a label based on glob patterns or regexps? At first glance, it would appear to be a win to be able to say "foo*", rather than having to explicitly enumerate foo0, foo1, foo2 etc.

In the Fedora Feature Description I have

Note 2: The kernel team wants me to point out that this is an exact strcmp match. No regex, no glob, and no hope of that ever changing.

write specific file in /var/run


thanks for the tip.
I was wondering if it is the alone way to tag files properly in /var/run.

I explain my case:
I have a program running as prog_t.
I have defined a tag prog_varrun_t.
I wrote fc rule: /var/run/prog.pid gen_context(system_u:object_r:prog_varrun_t,s0)

If I do a restorecon -R /var/run, my "prog.pid" get the correct label.

But when my program run. it deletes the pid, recreate it, using directory default tag, i.e. "var_run_t" and not "prog_varrun_t"

So by using your tip I create a:
filetrans_pattern(prog_t, var_run_t, prog_varrun_t, file, "prog.pid")
It works!

But is it the proper way?


