/opt is equivalence labeled to /usr.
/usr/sbin/semanage fcontext -a -t httpd_exec_t
'/usr/projects/apache(/.*)?'; /sbin/restorecon -R -v /opt/projects/apache
Should fix your problem
On 09/02/2014 11:16 AM, William Hargrove wrote:
I'm stuck with an selinux problem and I hope someone can point me in
the right direction.
I have apache installed into some custom directories, and am adding
fcontext entries to the file_context.local using the commands shown
below. These commands are being executed via a puppet manifext, using
exec's, eg
exec{'fix_projects_apache_context':
command => "/usr/sbin/semanage fcontext -a -t httpd_exec_t
'/opt/projects/apache(/.*)?' ; /sbin/restorecon -R -v
/opt/projects/apache",
user => 'root',
unless => "/bin/grep '/opt/projects/apache(/.*)?'
/etc/selinux/targeted/contexts/files/file_contexts.local",
logoutput => 'true',
}
1. Executables in /opt/projects/apache/{bin,sbin,ssl}
/usr/sbin/semanage fcontext -a -t httpd_exec_t
'/opt/projects/apache(/.*)?'; /sbin/restorecon -R -v /opt/projects/apache
2. Site configs in /etc/httpd-site1/{conf,conf.d} and
/etc/httpd-site2/{conf,conf.d}
/usr/sbin/semanage fcontext -a -t httpd_config_t
'/etc/httpd(.*)?/conf(.d)?(/.*)?' ; /sbin/restorecon -R -v
/etc/httpd*/conf*
3. Logs in /var/mylogs/webserver
/usr/sbin/semanage fcontext -a -t httpd_log_t
'/var/mylogs/webServer(/.*)?' ; /sbin/restorecon -R -v
/var/mylogs/webServer
4. Webcontent in /mycontent/webcontent
/usr/sbin/semanage fcontext -a -t httpd_sys_content_t
'/mycontent/webcontent(/.*)?' ; /sbin/restorecon -R -v
/mycontent/webcontent
The issue I have is that these entries are initially set correctly yet
their contexts seem to be reverted on subsequent puppet runs and I
cannot understand why. eg. If I do:
ls -Z
-rw-r--r-- webservd webservd system_u:object_r:etc_t httpd.conf
which is incorrect, as matchpathcon reports the correct context:
matchpathcon /etc/httpd-site1/conf/httpd.conf
/etc/httpd-site1/conf/httpd.conf system_u:object_r:httpd_config_t
If I run restorecon, the correct contexts are applied, but after a
period of time, the config will revert to that shown.
I have a local policy file which is loaded during the regular puppet
runs, but my understanding is that this shouldn't affect the file
labelling. It is as if a re-label occurs which ignores the settings in
my file_context.local override.
Puppet doesn’t seem to provide a very good way of managing fcontect
settings on selinux files, at least for situation like mine with
multiple files that are deploy from a config management system.
I’m happy to provide further information. System details are
selinux-policy-2.4.6-338.el5, RHEL 5.9 (and seen on RHEL 6.4)
Many thanks, Will.
------------------------------------------------------------------------
The information contained in this email is strictly confidential and
for the use of the addressee only, unless otherwise indicated. If you
are not the intended recipient, please do not read, copy, use or
disclose to others this message or any attachment. Please also notify
the sender by replying to this email or by telephone (+44 (0)20 7896
0011) and then delete the email and any copies of it. Opinions,
conclusions (etc) that do not relate to the official business of this
company shall be understood as neither given nor endorsed by it. IG
Group Holdings plc is a company registered in England and Wales under
number 01190902. VAT registration number 761 2978 07. Registered
Office: Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA.
Authorised and regulated by the Financial Services Authority. FSA
Register number 114059.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux