ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: usr / lib / python3.9 / site-packages / sepolicy / help

SELinux can either setup labeling directory using the Application/files screen, or you can setup file equivalence.

File Equivalence allows an administrator to label entire directory trees as the same way as the Equivalence directory tree.

Use Case 1:
An administrator want to store his Apache root content in a location other then /var/www like /srv/www. He could define an equivalence between /srv/www and /var/www.

libselinux reads the equivalence rules and does the substitution when ever the matchpathcon function is called.  Tools like restorecon/rpm/udev and others will all follow the substitution.  Using the example above when matchpathcon is handed /srv/www/cgi-bin/myscript.cgi, it substitutes /var/www for /svr/www and looks up the context of /var/www/cgi-bin/myscript.cgi.

In the command line you could execute.

# semanage fcontext -a -e /var/www /srv/www

Another common case where you might want to use file equivalence, is if you put your users home directories in a location other then /home.

If you setup an equivalence between /home and /export/home

# matchpathcon /export/home/dwalsh/.ssh
/export/home/dwalsh/.ssh    unconfined_u:object_r:home_ssh_t:s0

[-] lockdown_ptrace.png [edit]
[-] transition_from.png [edit]
[-] login_default.png [edit]
[-] lockdown_ptrace.txt [edit]
[-] lockdown_unconfined.txt [edit]
[-] booleans_toggled.txt [edit]
[-] transition_to.png [edit]
[-] transition_from_boolean_2.txt [edit]
[-] transition_from.txt [edit]
[-] lockdown_permissive.txt [edit]
[-] ports_outbound.txt [edit]
[-] start.txt [edit]
[-] files_write.png [edit]
[-] booleans_toggled.png [edit]
[-] start.png [edit]
[-] transition_from_boolean.png [edit]
[-] booleans_more_show.png [edit]
[-] users.txt [edit]
[-] users.png [edit]
[-] system_current_mode.png [edit]
[-] lockdown_permissive.png [edit]
[-] file_equiv.png [edit]
[-] system_boot_mode.png [edit]
[-] __init__.py [edit]
[-] system_relabel.png [edit]
[-] booleans.txt [edit]
[-] transition_file.png [edit]
[-] ports_outbound.png [edit]
[-] system.png [edit]
[-] files_apps.txt [edit]
[-] booleans.png [edit]
[-] transition_file.txt [edit]
[-] system_export.txt [edit]
[-] booleans_more_show.txt [edit]
[-] files_apps.png [edit]
[-] files_exec.png [edit]
[-] lockdown_unconfined.png [edit]
[-] system_boot_mode.txt [edit]
[-] files_write.txt [edit]
[-] booleans_more.txt [edit]
[+] ..
[-] transition_from_boolean_2.png [edit]
[-] ports_inbound.png [edit]
[-] transition_from_boolean_1.png [edit]
[-] files_exec.txt [edit]
[-] lockdown.png [edit]
[-] file_equiv.txt [edit]
[-] system_policy_type.png [edit]
[-] booleans_more.png [edit]
[-] lockdown.txt [edit]
[-] system_policy_type.txt [edit]
[-] transition_from_boolean_1.txt [edit]
[-] system.txt [edit]
[-] transition_from_boolean.txt [edit]
[-] login_default.txt [edit]
[-] ports_inbound.txt [edit]
[+] __pycache__
[-] system_relabel.txt [edit]
[-] login.png [edit]
[-] transition_to.txt [edit]
[-] system_export.png [edit]
[-] login.txt [edit]
[-] system_current_mode.txt [edit]