Hi,

 

I am trying to set contexts on httpd files on a server running CentOS release 6.4 (Final).

The server has several httpd running serving different hosts.

 

The directory tree is :

/WEBS/client_name/service_name/ contains configuration files, documents to serve, …

/WEBLOGS/client_name/service_name/ contains httpd logs

/WEBDATA/client_name/service_name/ contains datas

 

Here are the rules I wrote :

[root@odbfi007v ~]# semanage fcontext -l | grep WEB

/WEBDATA/lost\+found(/.*)?                         all files          system_u:object_r:lost_found_t:s0

/WEBLOGS(/.*)                                      all files          system_u:object_r:httpd_log_t:s0

/WEBLOGS/lost\+found(/.*)?                         all files          system_u:object_r:lost_found_t:s0

/WEBS/[^/]+/[^/]+/conf(/.*)?                       all files          system_u:object_r:httpd_config_t:s0

/WEBS/[^/]+/[^/]+/docs(/.*)?                       all files          system_u:object_r:httpd_sys_content_t:s0

/WEBS/[^/]+/[^/]+/logs                             all files          system_u:object_r:httpd_log_t:s0

/WEBS/lost\+found(/.*)?                            all files          system_u:object_r:lost_found_t:s0

 

I would like to set a default type on /WEBS and his subfolders:

semanage fcontext -a -t httpd_sys_content_t '/WEBS(/.*)?'

restorecon -Rv /WEBS*

However, this command sets the type httpd_sys_content_t recursively on everything in /WEBS

What is the priority between file context rules? I thought more precise rules will prevail on others.

 

Regards,

 

Hervé