Bug 251001

Summary: Homedir context configuration overrides contexts in packages
Product: Red Hat Enterprise Linux 5 Reporter: Anchor Systems Managed Hosting <managed>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-19 00:41:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anchor Systems Managed Hosting 2007-08-06 14:00:30 UTC 
Description of problem:

The file context configuration generated by `genhomedircon` overrides the
file context configuration provided by a package even if the package context
is for a more specific path. This violates the principle of least surprise.

Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-3.el5

How reproducible:
100%

Steps to Reproduce:

1. Assume that you want to override the default type of

  ~putz/public_html/complex.cgi

to be httpd_unconfined_script_exec_t (for use with restorecond) and
that the SELinux policy is being managed via a SELinux package.

2. Create a policy package with an entry of:

/home/putz/public_html/crud.cgi   -- 
user_u:object_r:httpd_unconfined_script_exec_t:s0

3. Create a TE file (can be pretty much empty)

4. Compile into a module with checkmodule and load with semodule

5. Running `semanage fcontext -l | grep complex.cgi` will show as expected:

/home/putz/public_html/complex.cgi	regular file      
user_u:object_r:httpd_unconfined_script_exec_t:s0 

Actual results:

Checking the default SELinux security context with `matchpathcon` will give a
type of `httpd_user_content_t`.

Expected results:

For `matchpathcon` to return a type of `httpd_unconfined_script_exec_t`.

Additional info:

The default context is being overridden by the contents of
`/etc/selinux/targeted/contexts/files/file_contexts.homedirs`

Running `semanage fcontext -a -f -- -t httpd_unconfined_script_exec_t
/home/putz/public_html/complex.cgi` will
change the default type as expected.
Comment 1 Daniel Walsh 2007-08-06 14:14:44 UTC 
Yes I am opening a discussion on this topic with the selinux developers.  I tend
to agree with you that these should be treated the same.
Comment 2 Stephen Smalley 2007-08-06 14:49:01 UTC 
Escape the "."; otherwise it matches any character.
/home/putz/public_html/complex\.cgi

Then it should work, as fully specified pathnames (no meta characters) take
precedence.