Re: Question on semanage fcontext -a
On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> ttaylor wrote:
> > Does anything special have to be done to cause SELinux to start
using newly
> > added local filecontexts? What I'm finding is that if I use
semanage
> > fcontext -a to add a local filecontext definition, it is not used
by
> > restorecon unless I specify the "-F" option. Without the
"-F"
option,
> > restorecon -vv <file_path> gives the following message:
> >
> > /sbin/restorecon: <file_path> not reset customized by admin to
> > <current_context>
> >
> > but restorecon -vv -F <file_path> gives this:
> >
> > /sbin/restorecon reset <file_path> context
<current_context>-><new_context>
>
> This is probably because <current_context> is a customizable type
like
> httpd_sys_content_t; objects with these types don't get reset by
> restorecon unless you use -F. I'm not sure how to find out which
types
> are customizable off the top of my head though.
cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
Dan - I thought we had discussed reducing that set significantly since
it was originally to avoid clobbering locally-set types upon a
filesystem relabel prior to the introduction of semanage, but with
users
now able to add local file contexts easily via semanage fcontext -a,
it
isn't as necessary.
This is exactly my situation. I am using Fedora 8 with all the latest
updates. I had used semanage to add a filecontext which would cause
particular directories to be labeled with the type httpd_sys_script_rw_t
which is a customizable type.
The directory I was trying to label was under /var/www which has a
context of httpd_sys_content_t which is also a customizabile type. So
why is it that new directories under /var/www are automatically labeled
with the httpd_sys_content_t type, but things that match my added
filecontext don't automatically get labeled with httpd_sys_script_rw_t,
and require the use of restorecon -F?
Here's the specifics:
The command I used to add my local context:
semanage fcontext -d -f -d -t httpd_sys_script_rw_t
"/var/www/wikis/[^/]+/images"
I then create a directory that matches the above pattern:
mkdir -p /var/www/wikis/foo/images
The directory is created, but has the type httpd_sys_content_t.
Now I use restorecon to relabel:
restorecon -vv /var/www/wikis/foo/images
This gives me the following message:
/sbin/restorecon: /var/www/wikis/foo/images not reset customized by
admin to system_u:object_r:httpd_sys_content_t:s0
Now run restorecon with the force flag:
restorecon -vv -F /var/www/wikis/foo/images
Gives this message:
restorecon reset /var/www/wikis/foo/images context
system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
Since both types are in the customizable_types file, why is one
automatically used, and the other only used when forced?
- Tim
--
Stephen Smalley
National Security Agency