SELinux policy modules can contain file context definitions through their .fc
files. In these files, path expressions are used to point to the various locations that should match a particular file context, and class identifiers are used to differentiate file context definitions based on the file class (directories, regular files, symbolic links, and more).
In this recipe, we'll create a mylogging
SELinux module, which defines additional path specifications for logging-related contexts. We will use direct file paths as well as regular expressions, and take a look at the various class identifiers.
To define a file context through an SELinux policy module, use the following approach:
With
matchpathcon
, we can check what is the context that the SELinux tools would reset the resource to:~# matchpathcon /service/log /service/log system_u:object_r:default_t
Create the
mylogging.te
file in which we mention the types that are going to be used in...