danwalsh (danwalsh) wrote,

File Context Equivalency

New minor feature in semanage (policycoreutils-2.0.62-8.fc11).

I have added the ability to setup equivalency in labeling.  The idea is to allow an administrator to say, instead of using /var/www for my html content I want to use /srv/www.  So you can execute the command

# semanage fcontext -a -e /var/www /srv/www

This command updates the /etc/selinux/POLICY/contexts/files/files_context.subs file.

A new version of libselinux is out that reads this file and does the substitution when ever the matchpathcon function is called.  So restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

This could allow us to eventually get rid of genhomedircon, since the administrator can now tell SELinux that I want to label an alternate home directory the same as /home.

# semanage fcontext -a -e /home /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

To modify the file context you can use the -m
# semanage fcontext -m -e /home1 /export/home

To delete the equivalency just use the standard -d qualifier.

# semanage fcontext -d /export/home

Listing the equivalency

# semanage fcontext -l -C

SELinux fcontext Equivalence

/export/home == /home
/srv/web == /var/www

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened