Bug 251001 - Homedir context configuration overrides contexts in packages
Summary: Homedir context configuration overrides contexts in packages
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils
Version: 5.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-06 14:00 UTC by Anchor Systems Managed Hosting
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-19 00:41:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Anchor Systems Managed Hosting 2007-08-06 14:00:30 UTC
Description of problem:

The file context configuration generated by `genhomedircon` overrides the
file context configuration provided by a package even if the package context
is for a more specific path. This violates the principle of least surprise.

Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-3.el5

How reproducible:
100%

Steps to Reproduce:

1. Assume that you want to override the default type of

  ~putz/public_html/complex.cgi

to be httpd_unconfined_script_exec_t (for use with restorecond) and
that the SELinux policy is being managed via a SELinux package.

2. Create a policy package with an entry of:

/home/putz/public_html/crud.cgi   -- 
user_u:object_r:httpd_unconfined_script_exec_t:s0

3. Create a TE file (can be pretty much empty)

4. Compile into a module with checkmodule and load with semodule

5. Running `semanage fcontext -l | grep complex.cgi` will show as expected:

/home/putz/public_html/complex.cgi	regular file      
user_u:object_r:httpd_unconfined_script_exec_t:s0 

Actual results:

Checking the default SELinux security context with `matchpathcon` will give a
type of `httpd_user_content_t`.

Expected results:

For `matchpathcon` to return a type of `httpd_unconfined_script_exec_t`.

Additional info:

The default context is being overridden by the contents of
`/etc/selinux/targeted/contexts/files/file_contexts.homedirs`

Running `semanage fcontext -a -f -- -t httpd_unconfined_script_exec_t
/home/putz/public_html/complex.cgi` will
change the default type as expected.

Comment 1 Daniel Walsh 2007-08-06 14:14:44 UTC
Yes I am opening a discussion on this topic with the selinux developers.  I tend
to agree with you that these should be treated the same.

Comment 2 Stephen Smalley 2007-08-06 14:49:01 UTC
Escape the "."; otherwise it matches any character.
/home/putz/public_html/complex\.cgi

Then it should work, as fully specified pathnames (no meta characters) take
precedence.



Note You need to log in before you can comment on or make changes to this bug.