File context rule for file in /run not working

All of lore.kernel.org
 help / color / mirror / Atom feed

* File context rule for file in /run not working
@ 2023-08-01  2:03 Ian Pilcher
  2023-08-01  7:40 ` Petr Lautrbach
  0 siblings, 1 reply; 2+ messages in thread
From: Ian Pilcher @ 2023-08-01  2:03 UTC (permalink / raw)
  To: SElinux list

# semanage fcontext -l | grep /run/acg
/run/acg-httpd-reload    all files    system_u:object_r:acg_var_run_t:s0

# ls -Z /run/acg-httpd-reload
system_u:object_r:var_run_t:s0 /run/acg-httpd-reload

# restorecon /run/acg-httpd-reload

# ls -Z /run/acg-httpd-reload
system_u:object_r:var_run_t:s0 /run/acg-httpd-reload

What in the world am I doing wrong?

(This rule is part of a policy module, and all of the other rules in the
module work just fine.)

-- 
========================================================================
Google                                      Where SkyNet meets Idiocracy
========================================================================

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: File context rule for file in /run not working
  2023-08-01  2:03 File context rule for file in /run not working Ian Pilcher
@ 2023-08-01  7:40 ` Petr Lautrbach
  0 siblings, 0 replies; 2+ messages in thread
From: Petr Lautrbach @ 2023-08-01  7:40 UTC (permalink / raw)
  To: Ian Pilcher, SElinux list

Ian Pilcher <arequipeno@gmail.com> writes:

> # semanage fcontext -l | grep /run/acg
> /run/acg-httpd-reload    all files    system_u:object_r:acg_var_run_t:s0
>
> # ls -Z /run/acg-httpd-reload
> system_u:object_r:var_run_t:s0 /run/acg-httpd-reload
>
> # restorecon /run/acg-httpd-reload
>
> # ls -Z /run/acg-httpd-reload
> system_u:object_r:var_run_t:s0 /run/acg-httpd-reload
>
> What in the world am I doing wrong?
>
> (This rule is part of a policy module, and all of the other rules in the
> module work just fine.)
>

In Fedora there's an equal rule which substitutes /run to /var/run
before a label is generated:

   # semanage fcontext -l
   ...
   SELinux Distribution fcontext Equivalence 

   /run = /var/run

.i.e you need to specify fc rule using /var/run/... SPEC as /run/...
SPEC is overridden by the equal rule:

    # echo '(filecon "/run/myrpmvarrunt" file (system_u object_r rpm_var_run_t ((s0) (s0))))' > myrpmvarrunt.cil
    # semodule -i myrpmvarrunt.cil 
    # selabel_lookup -b file -k /run/myrpmvarrunt
    Default context: system_u:object_r:var_run_t:s0

    # echo '(filecon "/var/run/myrpmvarrunt" file (system_u object_r rpm_var_run_t ((s0) (s0))))' > myrpmvarrunt.cil
    # semodule -i myrpmvarrunt.cil 
    # selabel_lookup -b file -k /run/myrpmvarrunt
    Default context: system_u:object_r:rpm_var_run_t:s0


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-08-01  7:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-01  2:03 File context rule for file in /run not working Ian Pilcher
2023-08-01  7:40 ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.