Re: overriding home directory file contexts

[Daniel J Walsh <dwalsh@redhat.com>]

Clarkson, Mike R (US SSA) wrote:
> There seems to be a very strong preference by the policy to label files
> and directories under a home directory to user_home_t. I would like to
> override that for a particular directory structure.
> 
> I have the following directory with many other files and directories
> below it:
> /opt/home/oracle/product/10.2.0
> 
This sounds like a genhomedircon problem.  Unless you have a Human Being
named Oracle, this should not be labeled as a homedir.  Check the passwd
entry and make sure it has a shell of /sbin/nologin on /bin/false.

Then run genhomedircon

Now the labels of /opt/home  should not longer be set for a homedir.
You can relabel using restorecon.
> Many of files are libraries, which I would like to label lib_t and
> shlib_t. As a specific example I have the following two files:
> 
> # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql*
> -r-xr-xr-x  oracle oinstall user_u:object_r:user_home_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so
> -r-xr-xr-x  oracle oinstall user_u:object_r:user_home_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so
> 
> If I add the following file context line to my policy without any regex
> wildcard chars, it works. The libsqlplus.so file is properly labeled as
> shlib_t.
> 
> /opt/home/oracle/product/10\.2\.0/lib32/libsqlplus\.so --
> gen_context(system_u:object_r:shlib_t,__SYSTEMLOW__)
> 
> # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql*
> -r-xr-xr-x  oracle oinstall user_u:object_r:user_home_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so
> -r-xr-xr-x  oracle oinstall system_u:object_r:shlib_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so
> 
> However, if I add any regex wildcard chars, the label reverts back to
> the default user_home_t context. For example, with the following
> modification to the above file context line:
> 
> /opt/home/oracle/product/10\.2\.0/lib32/libsqlplus.*\.so --
> gen_context(system_u:object_r:shlib_t,__SYSTEMLOW__)
> 
> # ls -Z /opt/home/oracle/product/10.2.0/lib32/libsql*
> -r-xr-xr-x  oracle oinstall user_u:object_r:user_home_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplusic.so
> -r-xr-xr-x  oracle oinstall user_u:object_r:user_home_t:SystemLow
> /opt/home/oracle/product/10.2.0/lib32/libsqlplus.so
> 
> Being that this is a large directory structure with lots of files, I do
> not want to have to label each one explicitly, without the use of regex
> wildcards. 
> 
> My understanding is that the policy should apply the most specific file
> context line. But that does not appear to be what is happening in this
> case. Is there some way to override this strong preference to label
> files under a home directory as user_home_t?
> 
> I'm using the rhel5.1 mls policy
> 
> Any help would be greatly appreciated.
> 
> Thanks,
>   Mike
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.