Description of problem: I am writing an SELinux module for our authentication services software. But I am running into the error bellow: Multiple different specifications for /var/opt/quest/vas/vasd(/.*)? This is caused because I am defining a file context for the /var/opt/quest/vas/vasd directory as below: /var/opt/quest/vas/vasd(/.*)? gen_context system_u:object_r:vasd_var_auth_t,s0) This conflicts with a file context for that same directory that is defined as system_u:object_r:var_auth_t,s0 This definition is pre-compiled into the shipped SElinux policy. ./targeted/contexts/files/file_contexts:2273:/var/opt/quest/vas/vasd(/.*)? system_u:object_r:var_auth_t:s0 ./targeted/modules/active/file_contexts:2273:/var/opt/quest/vas/vasd(/.*)? system_u:object_r:var_auth_t:s0 ./targeted/modules/active/file_contexts.template:2378:/var/opt/quest/vas/vasd(/.*)? system_u:object_r:var_auth_t:s0 Seeing that the path /var/opt/quest/vas/vasd is vendor specific the supplied SELinux policy should not be explicitly defining the file context for the contents under that directory.
We added this labeling because we had bugs related to /var/opt/quest/vas/vasd. Is there a problem to allow your apps to access var_auth_t? You can add labeling for files/dirs in /var/opt/quest/vas/vasd and you should get vasd_var_auth_t in your policy.
No there isn't a problem for allowing var_auth_t but we do want to keep them all labeled correctly for a directory that is obviously associated to our software. As it stands now the only way for me to work around this is to ask customers to install the selinux-policy-devel.noarch packages so they can run $ semanage fcontext -m -t vasd_var_auth_t "/var/opt/quest/vas/vasd(/.*)?" and then restore the file contexts on the directory, so that all files that our product lays down are labeled correctly. This is not an ideal solution at all. If you have a solution that will also work around the issue I would be glad to hear it. The other option is to look into including the vasd module as part of the built in SELinux policy.
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19
Package selinux-policy-3.12.1-74.30.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.30.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-16276/selinux-policy-3.12.1-74.30.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.