• 1


Just found this and my first thought is "This is different to the AppArmor approach how?"

AppArmor restricts based on file paths. To deal with hard links it disallows their use in certain circumstances.

To make SELinux usable for normal people, you have written a daemon that sits around layering AppArmor file-path/hardlink like semantics on top of SELinux in a racey, hacky, inefficient way. I don't mean you write bad code, I just mean that it's a limitation of the approach (we already have way too many daemons sucking up memory for their stacks/heaps/bookkeeping).

Stuff like Flash Player being there is also quite a concern. This system plays nice with 3rd party software? I rather think not ... very worrying indeed. I also don't see why the kernel can't cope with file names if not file paths, so you could say "resolve.conf" in a directory of label etc_t.

One more comment...

Hello! ;)
hey... what crazy news!
what do U think about it?

You mentiond this is not to be used on MLS machines? what are the implications?


Child Safety Products

semanage clarification

hello Dan,

Apart from entering the respective file or directory path in /etc/selinux/restorecond.conf, i preseume we need to add an entry to semanage table:
e.g. semanage fcontext -a -f -- -t tmp_t /root/example.txt

Only after this would the type transition occur from the old to the new customized type as given in the restorecond.conf file.

Please clarify the below:

As per the above explanation, i see an entry for public_html in restorecond.conf file but not in the output of semanage fcontext -l. I would therefore like to know from where is the default type (httpd_sys_content_t) taken and assigned to public_html directory.

Please clarify.


Re: semanage clarification

If you want to have a customized label for a file, you need to tell SELinux about it. You can either do this via the semanage command as you state or by building a custom policy module including a fc file

semanage fcontext -a -f -- -t tmp_t /root/example.txt


/root/example.txt gen_context(system_u:object_r:tmp_t, s0)

Contents in the home directory are special. This is because we do not know where the homedir will be. If you look in

grep public_html /etc/selinux/targeted/contexts/files/file_contexts.homedirs
/home/[^/]*/((www)|(web)|(public_html)|(public_git))(/.+)? unconfined_u:object_r:httpd_user_content_t:s0
/home/pwalsh/((www)|(web)|(public_html)|(public_git))(/.+)? staff_u:object_r:httpd_user_content_t:s0

genhomedircon generates this file out of


If you want to customize content in the homedir you need to install a custom policy with a file contents like

HOME_DIR/example.txt -- gen_context(system_u:object_r:tmp_t,s0)

  • 1

Log in