What is the correct way to ensure the precedence of fcontext rules?
Issue
-
Create directories:
# mkdir /dir # mkdir /dir/subdir -
Set an fcontext rule for a subdirectory:
# semanage fcontext -a -t httpd_sys_content_t "/dir/subdir(/.*)?" -
Restore selinux contexts from the created rule:
# restorecon -Rv /dir restorecon reset /dir/subdir context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 -
Set an fcontext rule for a parent directory:
# semanage fcontext -a -t httpd_cache_t "/dir(/.*)?" -
Restore selinux contexts from the created rule:
# restorecon -Rv /dir restorecon reset /dir context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_cache_t:s0 restorecon reset /dir/subdir context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_cache_t:s0 # ls -lZd /dir /dir/subdir drwxr-xr-x. root root unconfined_u:object_r:httpd_cache_t:s0 /dir drwxr-xr-x. root root unconfined_u:object_r:httpd_cache_t:s0 /dir/subdir- NOTE: Both parent directory and subdirectory have their permissions changed.
-
However "semanage fcontext -l" doesn't show which rule is overriding the other:
# semanage fcontext -l | grep "/dir" /dir(/.*)? all files system_u:object_r:httpd_cache_t:s0 /dir/subdir(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 -
What is the correct way to ensure the precedence of fcontext rules?
Environment
- Red Hat Enterprise Linux (RHEL) 5
- Red Hat Enterprise Linux (RHEL) 6
- SELinux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.