Re: files contexts override via policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laurent Jacquot wrote:
> Hello,
> I am sure this is a FAQ or a feature, but I want to know how to work
> around:
>
> I have cxoffice installed in my F8 home dir and I want some lib labeled
> as textrel_shlib_t, but I cannot override the default user_home_t home
> label via a policy module.
>
> NOTE1 it works if the directory is not under /home
> NOTE2 there is nothing in the logs if it fails
> NOTE3 It has been so since the introduction of modular policy in selinux
>
> What is what I have tried so far in F8.
> [root@jack sel]#cat local.fc
> #cxoffice
> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe --
> system_u:object_r:textrel_shlib_t:s0
>
> /home/alex/cxoffice/lib/wine/kernel32.dll.so --
> system_u:object_r:textrel_shlib_t:s0
>
> [root@jack sel]#semodule_package -o local.pp -m local.mod -f local.fc
> [root@jack sel]#semodule -i local.pp
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>
>
> (If i use the system-config-selinux UI, I can see the new entry in the
> tab context among all the regexp)
>
> Using semanage, it works:
> [root@jack sel]#semodule -r local
> [root@jack sel]#semanage fcontext -a -t
> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so
> [root@jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so
> -rwxr-xr-x alex alex
> system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so
>
> and the custom rule appears in system-config-selinux UI at the end of
> the policy.
>
> So how do I have my module install my contexts the same way as semanage?
> Should I bugzilla it?
>
> BTW, how do system-config-selinux browse the file context policy? Is it
> possible to see also the rules and type definition?
>
> TIA
> jk
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like a bug in libsemanage or in the file context labeling algorithm.

I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry.

So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local.

If you tried

HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- system_u:object_r:textrel_shlib_t:s0

It should update the file_context.homedirs file.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQuOtrlYvE4MpobMRAuuCAJ4sXPEh9DMDNxUV+avHT09uvAa62QCfbneq YBf3ZtQ4UGTOrOys4K4FGps=
=VT+4
-----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

• This message: [ Message body ]
• Next message: Laurent Jacquot: "Re: files contexts override via policy module"
• Previous message: Daniel J Walsh: "Re: Problems with sendmail after upgrade to F8"
• In reply to: Laurent Jacquot: "files contexts override via policy module"
• Next in thread: Laurent Jacquot: "Re: files contexts override via policy module"
• Reply: Laurent Jacquot: "Re: files contexts override via policy module"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]