Bug 251001 - Homedir context configuration overrides contexts in packages
Homedir context configuration overrides contexts in packages
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-06 10:00 EDT by Anchor Systems Managed Hosting
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-18 20:41:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anchor Systems Managed Hosting 2007-08-06 10:00:30 EDT
Description of problem:

The file context configuration generated by `genhomedircon` overrides the
file context configuration provided by a package even if the package context
is for a more specific path. This violates the principle of least surprise.

Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-3.el5

How reproducible:
100%

Steps to Reproduce:

1. Assume that you want to override the default type of

  ~putz/public_html/complex.cgi

to be httpd_unconfined_script_exec_t (for use with restorecond) and
that the SELinux policy is being managed via a SELinux package.

2. Create a policy package with an entry of:

/home/putz/public_html/crud.cgi   -- 
user_u:object_r:httpd_unconfined_script_exec_t:s0

3. Create a TE file (can be pretty much empty)

4. Compile into a module with checkmodule and load with semodule

5. Running `semanage fcontext -l | grep complex.cgi` will show as expected:

/home/putz/public_html/complex.cgi	regular file      
user_u:object_r:httpd_unconfined_script_exec_t:s0 

Actual results:

Checking the default SELinux security context with `matchpathcon` will give a
type of `httpd_user_content_t`.

Expected results:

For `matchpathcon` to return a type of `httpd_unconfined_script_exec_t`.

Additional info:

The default context is being overridden by the contents of
`/etc/selinux/targeted/contexts/files/file_contexts.homedirs`

Running `semanage fcontext -a -f -- -t httpd_unconfined_script_exec_t
/home/putz/public_html/complex.cgi` will
change the default type as expected.
Comment 1 Daniel Walsh 2007-08-06 10:14:44 EDT
Yes I am opening a discussion on this topic with the selinux developers.  I tend
to agree with you that these should be treated the same.
Comment 2 Stephen Smalley 2007-08-06 10:49:01 EDT
Escape the "."; otherwise it matches any character.
/home/putz/public_html/complex\.cgi

Then it should work, as fully specified pathnames (no meta characters) take
precedence.

Note You need to log in before you can comment on or make changes to this bug.