-----BEGIN PGP SIGNED MESSAGE-----
Tim Taylor wrote:
On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
>> ttaylor wrote:
>>> Does anything special have to be done to cause SELinux to start
> using newly
>>> added local filecontexts? What I'm finding is that if I use
>>> fcontext -a to add a local filecontext definition, it is not used
>>> restorecon unless I specify the "-F" option. Without the
>>> restorecon -vv <file_path> gives the following message:
>>> /sbin/restorecon: <file_path> not reset customized by admin to
>>> but restorecon -vv -F <file_path> gives this:
>>> /sbin/restorecon reset <file_path> context
>> This is probably because <current_context> is a customizable type
>> httpd_sys_content_t; objects with these types don't get reset by
>> restorecon unless you use -F. I'm not sure how to find out which
>> are customizable off the top of my head though.
> cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> Dan - I thought we had discussed reducing that set significantly since
> it was originally to avoid clobbering locally-set types upon a
> filesystem relabel prior to the introduction of semanage, but with
> now able to add local file contexts easily via semanage fcontext -a,
> isn't as necessary.
This is exactly my situation. I am using Fedora 8 with all the latest
updates. I had used semanage to add a filecontext which would cause
particular directories to be labeled with the type httpd_sys_script_rw_t
which is a customizable type.
The directory I was trying to label was under /var/www which has a
context of httpd_sys_content_t which is also a customizabile type. So
why is it that new directories under /var/www are automatically labeled
with the httpd_sys_content_t type, but things that match my added
filecontext don't automatically get labeled with httpd_sys_script_rw_t,
and require the use of restorecon -F?
Here's the specifics:
The command I used to add my local context:
semanage fcontext -d -f -d -t httpd_sys_script_rw_t
I then create a directory that matches the above pattern:
mkdir -p /var/www/wikis/foo/images
The directory is created, but has the type httpd_sys_content_t.
Now I use restorecon to relabel:
restorecon -vv /var/www/wikis/foo/images
This gives me the following message:
/sbin/restorecon: /var/www/wikis/foo/images not reset customized by
admin to system_u:object_r:httpd_sys_content_t:s0
Now run restorecon with the force flag:
restorecon -vv -F /var/www/wikis/foo/images
Gives this message:
restorecon reset /var/www/wikis/foo/images context
Since both types are in the customizable_types file, why is one
automatically used, and the other only used when forced?
New Files/Directories adopt the context of their parent directry by
default. Unless the program is SELinux aware or a transition rule was
written in policy
dhcp_t creating files in directories labeled etc_t get a file context of
So since mkdir is not selinux aware and no policy rule has been defined,
you create the directory with the same context as the parent.
httpd_sys_content_t in both cases.
restorecon reads the file context file and assigns the correct context
> Stephen Smalley
> National Security Agency
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----