Hi, everyone,
I have a very curious problem with 'restorecon'.
Problem:'restorecon' should relabel the context of the path
/maco/glass to
system_u:object_r:glass_rw_t:s0, however, it relabels the context to
system_u:object_r:user_home_dir_t:s0.
The commad that triggers the error:restorecon -F -R -v /maco/glass/
Expected result:drwxr-xr-x. 2 system_u:object_r:glass_rw_t:s0 glass glass 4096 2009-07-24 11:32 glass
Actual result:drwxr-xr-x. 2 system_u:object_r:user_home_dir_t:s0 glass glass 4096 2009-07-24 11:32 glass
Background:I have created a custom policy named 'glass' which specifies SELinux rules for the GlassFish application server. It worked just fine until a couple of days ago.
The catch is, that a couple of days ago, I have decided to change the path of my GlassFish installation from /var/glass to /maco/glass.
Here is the content of the glass.fc file:
/maco/glass -d gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/.* gen_context(system_u:object_r:glass_r_t,s0)
/maco/glass/bin/asadmin -- gen_context(system_u:object_r:glass_exec_t,s0)
/maco/glass/lib/registration/servicetag-registry.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/config/asenv.conf -- gen_context(system_u:object_r:glass_rx_t,s0)
/maco/glass/lib/libjvminfoutil.so -- gen_context(system_u:object_r:glass_rx_t,s0)
/maco/glass/domains -d gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/domains/.* gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/updatecenter/config/config.xml -- gen_context(system_u:object_r:glass_rw_t,s0)
/maco/glass/lib/install/applications -d gen_context(system_u:object_r:glass_rw_t,s0)
System configuration:Fedora 11
Linux Maco 2.6.29.6-213.fc11.i686.PAE #1 SMP Tue Jul 7 20:59:29 EDT 2009 i686 i686 i386 GNU/Linux
Comments:
- I have another custom policy (named 'MySVN') This one also relabels (with custom contexts) the path /maco/svn -- curiously enough, this works just fine.
- Before, when I was using /var/glass, relabelling worked just fine.
- I have tried changing the path from /maco/glass to simply /glass (to see if this works), and it worked (it correctly changed the context of the directory).
- I have checked with the 'SELinux Management' tool that in fact the specified file file label rules were installed.
- I believe this could be a bug in Fedora's SELinux file labelling rules.
EDIT: I have tried to change the path from /maco/glass to /maco/sublask (totally random folder name), and it worked... It is true, that I have moved the '/maco/glass' folder from my home folder (namely: '/home/Download/glassfish') with the following command:
mv "/home/Download/glassfish" "/maco/glass";
Could the move have confused SELinux into thinking that the folder '/maco/glass' is still in my home folder? The folder '/maco' is a mount point with its own partition. Also, I have deleted the folder many times with the following command: rm -Rf /maco/glass. Nevertheless, it still relabels the path to 'system_u:object_r:user_home_dir_t:s0'.
Thank you very much for your assistance.
Sincerely,
---
Matej