selinux versus chcon
Fulko Hew
fulko.hew at gmail.com
Mon Sep 19 18:49:37 UTC 2011
I've reviewing my buildRPM spec file so that it works in newer distributions
(currently playing with RHEL 5.6), but my question is applicable to
Fedora xxx as well.
During the development of my package, I had encountered issues with my
build and install procedures during the slow migration/acceptance of SELinux.
In my %post part of my spec file I had added both chcon commands and
semanage commands and restorecon commands. As time goes by I've
forgotten why I used chcon versus semanage, and why I needed the
restorecon command at all. :-(
(Today's issue is setroubleshoot browser is recommending I use a chcon
command to add httpd_sys_content_t to /var/cache/fontconfig/*)
My spec file currently contains this:
%{_bindir}/chcon -t httpd_sys_script_exec_t
/var/www/html/nia/scripts/* 2>/dev/null
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nia/tmp'
2>/dev/null
restorecon -v '/var/www/html/nia/tmp' 2>/dev/null
>From what I can remember:
1/ I added the 'chcon' so that my scripts are executable by apache.
2/ I used semanage to make my temp directory writable by my scripts
3/ I needed the 'restorecon' to 'make the semanage stuff 'sticky'.
>From what I've been able to read:
chcon affects the filesystem, whereas
semanage affects 'policy' and
restorecon is used to 're-affect the filesystem according to policy'
(set by semanage (and others)).
Is this a valid interpretation?
If so... why use chcon versus the semanage/restorecon technique?
or if my assesement is wrong... can someone point me to a better
explanation/tutorial?
TIA
Fulko
More information about the devel
mailing list