Red Hat Bugzilla – Bug 251001
Homedir context configuration overrides contexts in packages
Last modified: 2007-11-30 17:07:46 EST
Description of problem: The file context configuration generated by `genhomedircon` overrides the file context configuration provided by a package even if the package context is for a more specific path. This violates the principle of least surprise. Version-Release number of selected component (if applicable): policycoreutils-1.33.12-3.el5 How reproducible: 100% Steps to Reproduce: 1. Assume that you want to override the default type of ~putz/public_html/complex.cgi to be httpd_unconfined_script_exec_t (for use with restorecond) and that the SELinux policy is being managed via a SELinux package. 2. Create a policy package with an entry of: /home/putz/public_html/crud.cgi -- user_u:object_r:httpd_unconfined_script_exec_t:s0 3. Create a TE file (can be pretty much empty) 4. Compile into a module with checkmodule and load with semodule 5. Running `semanage fcontext -l | grep complex.cgi` will show as expected: /home/putz/public_html/complex.cgi regular file user_u:object_r:httpd_unconfined_script_exec_t:s0 Actual results: Checking the default SELinux security context with `matchpathcon` will give a type of `httpd_user_content_t`. Expected results: For `matchpathcon` to return a type of `httpd_unconfined_script_exec_t`. Additional info: The default context is being overridden by the contents of `/etc/selinux/targeted/contexts/files/file_contexts.homedirs` Running `semanage fcontext -a -f -- -t httpd_unconfined_script_exec_t /home/putz/public_html/complex.cgi` will change the default type as expected.
Yes I am opening a discussion on this topic with the selinux developers. I tend to agree with you that these should be treated the same.
Escape the "."; otherwise it matches any character. /home/putz/public_html/complex\.cgi Then it should work, as fully specified pathnames (no meta characters) take precedence.