Hello, list.
I'm having quite some difficulties in understanding some SELinux behaviour, and Google is not helping...
On an RHEL6-based system using the targeted policy, when we create our .k5login files, they get the context of their parent directory, and *not* the one specified in the policy for .k5login. Calling restorecon gives them the correct context, but I would expect it to be correct since the file is created.
The file_contexts file looks like this:
19:/root(/.*)? system_u:object_r:admin_home_t:s0 2353:/root/.k5login -- system_u:object_r:krb5_home_t:s0
And the behaviour we get is:
************************************************************ # Initial status: ~ # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: permissive Policy version: 24 Policy from config file: targeted ~ # LANG=C ls -a .k5login ls: cannot access .k5login: No such file or directory
# Create the file ~ # echo foo@CERN.CH > .k5login ~ # ls -Z .k5login -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 .k5login
# But restorecon gives it the correct context!! ~ # restorecon .k5login ~ # ls -Z .k5login -rw-r--r--. root root system_u:object_r:krb5_home_t:s0 .k5login ************************************************************
I would expect that newly-created files wouldn't need a restorecon, unless the policy changed or they were created when SELinux was disabled. Am I wrong? Or is it a bug in the policy?
Thanks a lot.
PS: I suppose this problem applies to other files, we've been hit with .k5login first (users couldn't SSH in).
PPS: I'm using: selinux-policy-targeted-3.7.19-54.el6.noarch