SELinux madness

I usually keep my VM’s in /home, because unlike /var it’s a separate partition and has plenty of free space. As I am also using SELinux, I want to set proper file contexts (even if /home is unconfined, I just want to do it right.)

# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# semanage fcontext -a -t virt_var_lib_t "/home/libvirt(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_var_lib_t:s0

That’s not what we want, so we set the context for /home/libvirt/images again:

# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_var_lib_t:s0

Nothing has changed. Let’s start over again:

# semanage fcontext -d "/home/libvirt/images(/.*)?"
# semanage fcontext -d "/home/libvirt(/.*)?"
# semanage fcontext -a -t virt_var_lib_t "/home/libvirt(/.*)?"
# semanage fcontext -a -t virt_image_t "/home/libvirt/images(/.*)?"
# matchpathcon /home/libvirt/images/test
/home/libvirt/images/test system_u:object_r:virt_image_t:s0

So order does matter? And one has to remove contexts to set them again in the right order? That doesn’t scale. Imagine you have to remove contexts all the way up to your root directory…

I would expect something like “specific overwrites general” but definitely not “last come, first served”.

Beteilige dich an der Unterhaltung

1 Kommentar

Schreibe einen Kommentar

Schreibe einen Kommentar zu Christoph Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert