SELinux madness

I usually keep my VM’s in /home, because unlike /var it’s a separate partition and has plenty of free space. As I am also using SELinux, I want to set proper file contexts (even if /home is unconfined, I just want to do it right.)

# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# semanage fcontext -a -t virt_var_lib_t "/home/libvirt(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_var_lib_t:s0

That’s not what we want, so we set the context for /home/libvirt/images again:

# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_var_lib_t:s0

Nothing has changed. Let’s start over again:

# semanage fcontext -d "/home/libvirt/images(/.*)?"
# semanage fcontext -d "/home/libvirt(/.*)?"
# semanage fcontext -a -t virt_var_lib_t "/home/libvirt(/.*)?"
# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_image_t:s0

So order does matter? And one has to remove contexts to set them again in the right order? That doesn’t scale. Imagine you have to remove contexts all the way up to your root directory…

I would expect something like “specific overwrites general” but definitely not “last come, first served”.

One thought on “SELinux madness

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>