From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
 by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id t7HNgpWZ010718
 for <selinux@tycho.nsa.gov>; Mon, 17 Aug 2015 19:42:53 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
 by mail.jlbond.com (Postfix) with ESMTP id 85B57799CC
 for <selinux@tycho.nsa.gov>; Mon, 17 Aug 2015 16:42:49 -0700 (PDT)
Received: from mail.jlbond.com ([127.0.0.1])
 by localhost (mail.jlbond.com [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id kLl5t4UZkoVX for <selinux@tycho.nsa.gov>;
 Mon, 17 Aug 2015 16:42:49 -0700 (PDT)
Received: from taipei.bbky.org (firewall.bbky.org [192.168.0.1])
 by mail.jlbond.com (Postfix) with ESMTP id 4134E79766
 for <selinux@tycho.nsa.gov>; Mon, 17 Aug 2015 16:42:49 -0700 (PDT)
To: selinux@tycho.nsa.gov
From: Bond Masuda <bond.masuda@jlbond.com>
Subject: question about semanage fcontext and awareness of file_contexts.local
 file
Message-ID: <55D27178.9080503@jlbond.com>
Date: Mon, 17 Aug 2015 16:42:48 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
 <selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>

We want to add some custom file contexts for certain directories, in
particular we have /audit as a separate partition and run this:

chroot /mnt/root semanage fcontext -a -t auditd_log_t "/audit(/.*)?"

To make sure auditd works. This is run with chroot because the system
we're modifying is not running and mounted at /mnt/root. This creates
the file_contexts.local file with this content:

# This file is auto-generated by libsemanage
# Do not edit directly.

/audit(/.*)?    system_u:object_r:auditd_log_t:s0

Later on, when we boot that system that was in /mnt/root, the
file_contexts.local remains the same. However, if I run semanage to add
another record, for example (this time, not in chroot):

semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?"

It creates the content for httpd_sys_content_t in file_contexts.local,
but overwrites the previous entry for auditd_log_t.

If I add the auditd_log_t entry once again, _both_ entries are now
present in file_contexts.local. So, it seems that the 1st time I run
semanage fcontext -a _while_ the system is running, it is not aware of
the content that was added when I ran semanage fcontext -a when the
system was offline and mounted in /mnt/root.

Does semanage maintain state somewhere other than in the
file_contexts.local file? How can I make sure it is aware of the content
in file_contexts.local that was created by semanage when it was run in
chroot?

Thanks,
-Bond