-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/09/2015 01:59 AM, Erinn Looney-Triggs wrote:
I have a passenger app that is installed on the system. I have the
following in file_contexts.local:
/var/www/foo/releases/.*/tmp(/.*)?
unconfined_u:object_r:httpd_sys_rw_content_t:s0
However, on creating the tmp directory: releases $ sudo mkdir -p
foo/tmp/ releases $ cd foo/ foo $ ls -lZ drwxr-sr-x. root
developers unconfined_u:object_r:httpd_sys_content_t:s0 tmp
But matchpathcon returns the right label: matchpathcon tmp/ tmp
unconfined_u:object_r:httpd_sys_rw_content_t:s0
And a restorecon sets it properly to rw.
So, umm, what is the deal here? There is something I am missing
for sure. This is on RHEL 7.1 with the latest and greatest
everything. Oddly I think, but am not sure, that this wasn't a
problem with 7.0.
Thoughts? Thanks.
-Erinn -- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
It follows default object labeling rules in SELinux. If you don't have
defined type transitions then it inherits labeling from the parent
directory.
In your case
$ matchpathcon /var/www/foo/releases
/var/www/foo/releases system_u:object_r:httpd_sys_content_t:s0
You need to run restorecon if you create it by hand or you can defined
transitions rules for it.
Or you can create it using
mkdir -Z -p foo/tmp
- --
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVTw4nAAoJENrcHks50T0JV4UIAJ1TrsndIIhW0q67ZHXQDvlk
F52M9TdrpTRAXtmARW7zX3tH8e1D3zOKngOmzKN8NaOjUcvN4lyQP2h3SUj+BO3k
/f3mBITgd4Ay7YMpKrV5+TJaeGTcbz8JguyZ673xVoAuzhH2A86QtK3Ia2D1dT5R
gipjI8tmXsKys+1+fX/e4JzywKY6lir03+S4wAgMktF//v6gne/cZABCaOGwhpWy
46gxYNuQtPWuD7hP+8MC9pov5gD0joxS5dIygzUZPeySs1wad/8/NPMQ//MYEcYH
YgBXBrKRmFGxUEULjzxj8p6MdQj4FMIsY5J7LoXmx4jZH7G78PI/2D3PBkKnsKg=
=Rd1+
-----END PGP SIGNATURE-----