From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: question about semanage fcontext and awareness of file_contexts.local file To: Stephen Smalley , selinux@tycho.nsa.gov, Steve Lawrence References: <55D27178.9080503@jlbond.com> <55DB5F2D.6060900@tycho.nsa.gov> From: Bond Masuda Message-ID: <55DB60D8.8020400@jlbond.com> Date: Mon, 24 Aug 2015 11:22:16 -0700 MIME-Version: 1.0 In-Reply-To: <55DB5F2D.6060900@tycho.nsa.gov> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 08/24/2015 11:15 AM, Stephen Smalley wrote: > On 08/17/2015 07:42 PM, Bond Masuda wrote: >> We want to add some custom file contexts for certain directories, in >> particular we have /audit as a separate partition and run this: >> >> chroot /mnt/root semanage fcontext -a -t auditd_log_t "/audit(/.*)?" >> >> To make sure auditd works. This is run with chroot because the system >> we're modifying is not running and mounted at /mnt/root. This creates >> the file_contexts.local file with this content: >> >> # This file is auto-generated by libsemanage >> # Do not edit directly. >> >> /audit(/.*)? system_u:object_r:auditd_log_t:s0 >> >> Later on, when we boot that system that was in /mnt/root, the >> file_contexts.local remains the same. However, if I run semanage to add >> another record, for example (this time, not in chroot): >> >> semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?" >> >> It creates the content for httpd_sys_content_t in file_contexts.local, >> but overwrites the previous entry for auditd_log_t. >> >> If I add the auditd_log_t entry once again, _both_ entries are now >> present in file_contexts.local. So, it seems that the 1st time I run >> semanage fcontext -a _while_ the system is running, it is not aware of >> the content that was added when I ran semanage fcontext -a when the >> system was offline and mounted in /mnt/root. >> >> Does semanage maintain state somewhere other than in the >> file_contexts.local file? How can I make sure it is aware of the content >> in file_contexts.local that was created by semanage when it was run in >> chroot? > This sounds like a bug to me. What version of libsemanage and > policycoreutils are you using, as this may be version-specific? > > The versions are: libsemanage-2.0.43-5.1.el6.x86_64 libsemanage-python-2.0.43-5.1.el6.x86_64 policycoreutils-2.0.83-24.el6.x86_64 policycoreutils-python-2.0.83-24.el6.x86_64 Thanks, -Bond