SELinux: manually changing files in /etc/selinux/targeted/contexts/files/

I'm setting up a CentOS 7 server in which the /home directory has to be located on another partition and then mounted with bind-mount. So: /data/homes should be bind-mounted to /home.

The problem is with making sure that SELinux contexts are applied correctly. Indeed, the following commands have conflicting results:

# Applies the rules for /home to all the files
restorecon -R -v /home
# Applies the generic rules (standard files) to all the files
restorecon -R -v /data/homes

This is causing problems if the system has to relabel the files.

To solve this problem, I've modified the policy file /etc/selinux/targeted/contexts/files/file_contexts.homedirs by copying all rules also for /data/homes:

$ sed -n '/^\/home/p' /etc/selinux/targeted/contexts/files/file_contexts.homedirs \
  | sed 's/^\/home/\/data\/homes/' \
  >> /etc/selinux/targeted/contexts/files/file_contexts.homedirs

However, when the policy is re-built with semodule -B, my changes are lost.

I know the recommended way to modify those files is to use semanage fcontext, but in total there are almost 200 rules that I need to add, and running semanage for each isn't an option.

How can I manually change files in /etc/selinux/targeted/contexts/files/file_contexts and ensure that changes are kept?

Solution 1:

semanage fcontext -a -t <file_context> "<path>/<file>(/.*)?"
restorecon -R <path>/<file>

will allow you to add contexts to many files recursively and permanently. I'm not sure if you've tried this yet. Can you provide some examples of rules you're trying to set and on what files so we can see what's feasible for your needs?