April 9th, 2009

File Context Equivalency

New minor feature in semanage (policycoreutils-2.0.62-8.fc11).

I have added the ability to setup equivalency in labeling.  The idea is to allow an administrator to say, instead of using /var/www for my html content I want to use /srv/www.  So you can execute the command

# semanage fcontext -a -e /var/www /srv/www

This command updates the /etc/selinux/POLICY/contexts/files/files_context.subs file.

A new version of libselinux is out that reads this file and does the substitution when ever the matchpathcon function is called.  So restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

This could allow us to eventually get rid of genhomedircon, since the administrator can now tell SELinux that I want to label an alternate home directory the same as /home.

# semanage fcontext -a -e /home /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

To modify the file context you can use the -m
# semanage fcontext -m -e /home1 /export/home

To delete the equivalency just use the standard -d qualifier.

# semanage fcontext -d /export/home

Listing the equivalency

# semanage fcontext -l -C

SELinux fcontext Equivalence

/export/home == /home
/srv/web == /var/www