Dear SElinux community,

I think my understanding of SElinux is really moving forward but I still fail to understand two phenomena and would like to have your lights on those two topics.

First the usuals:
Centos 6
Linux 2.6.32-504
libselinux version: 2.0.94
libsemanage: 2.0.43
policy version : 3.7.19

1. order of expressions in file_contexts.local

I created some local fcontext rules using semanage. For a specific file, I used the following commands to check if the relabelling works correctly:

Code: Select all

# findcon /etc/selinux/targeted/contexts/files/file_contexts.local -p /path/to/aquota.group

/path(/.*)?        system_u:object_r:mnt_t:s0
/path/to/a?quota\.(user|group)   --   system_u:object_r:quota_db_t:s0
/path/to/.*        system_u:object_r:samba_share_t:s0


When using matchpathcon to check if the file is relabled as quota_db_t as expected I find it to be relabeled as samba_share_t. Note that my expectations come from:
http://wiki.gentoo.org/wiki/SELinux/FAQ#How_do_I_know_which_file_context_rule_is_used_for_a_particular_file.3F

Even more curiously when remaking the rule, just changing their order so that the command bellow gives the output:

Code: Select all

# findcon /etc/selinux/targeted/contexts/files/file_contexts.local -p /path/to/aquota.group

/path(/.*)?        system_u:object_r:mnt_t:s0
/path/to/.*        system_u:object_r:samba_share_t:s0
/path/to/a?quota\.(user|group)   --   system_u:object_r:quota_db_t:s0


Then I obtain the expected labelling. I do not understand it. Do SElinux use the expressions order in the file_contexts.local to relabel files ?

2. Explicitly ask for no relabelling

I have a folder /path/to/folder which contains only folders that are binds (i.e. mount --bind). Hence the labelling of these folders is already correctly done and I do not want SElinux to relabel those (twice). I think this is in the spirit of the mount folder:

Code: Select all

/mnt(/[^/]*)                                       symbolic link      system_u:object_r:mnt_t:s0
/mnt(/[^/]*)?                                      directory          system_u:object_r:mnt_t:s0
/mnt/[^/]*/.*                                      all files          <<None>>


Hence I would like to obtain something like:

Code: Select all

/path/to/folder                                      directory          system_u:object_r:mnt_t:s0
/path/to/folder/.*                                   all files          <<None>>


But I cannot find the semanage command to obtain the "<<None>>" relabelling. Any idea ?
NB: so far I use the command bellow to avoid relabelling this part.

Code: Select all

# resotrecon -e /path/to/folder -vR /path/to


Thanks in advance for your help,

Tabs

Any news on this topic ? I still have the same problems and although I googled it for a while I cannot find any answer. BTW I am also interested to know about a good tutorial on selinux. So far my preference goes to:
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts