priority between file context rules

Daniel J Walsh dwalsh at redhat.com
Wed Dec 4 14:37:43 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/03/2013 11:21 AM, Dominick Grift wrote:
> On Tue, 2013-12-03 at 16:50 +0100, Vidalie Hervé wrote:
> 
>> Encountered problems : Already discussed : httpd_log_t is not enough to
>> httpd to create new log files -> to be replaced with
>> httpd_sys_rw_content_t New files (for example logs) are not correctly
>> labeled (they are labeled like the folder)
>> 
> 
> This:
> 
>> [root at d30 rules.d]# sesearch -ASC -d -t httpd_sys_ra_content_t Found 7
>> semantic av rules: allow httpd_sys_ra_content_t httpd_sys_ra_content_t :
>> filesystem associate ; allow httpd_sys_script_t httpd_sys_ra_content_t :
>> file { ioctl read create getattr lock append open } ; allow
>> httpd_sys_script_t httpd_sys_ra_content_t : dir { ioctl read write
>> getattr lock add_name search open } ; allow httpd_sys_script_t
>> httpd_sys_ra_content_t : lnk_file { read getattr } ; ET allow httpd_t
>> httpd_sys_ra_content_t : file { ioctl read create getattr lock append
>> open } ; [ httpd_builtin_scripting ] ET allow httpd_t
>> httpd_sys_ra_content_t : dir { ioctl write getattr lock add_name search
>> open } ; [ httpd_builtin_scripting ] ET allow httpd_t
>> httpd_sys_ra_content_t : lnk_file { read getattr } ; [
>> httpd_builtin_scripting ]
>> 
> 
> ..Tells me that , at least on my system, both httpd_t, as well as
> httpd_sys_script_t type processes are allowed to create new log files
> (files with type httpd_sys_ra_content_t) in directories with type
> httpd_sys_ra_content_t
> 
> So instead of using httpd_log_t (which i would not use for any logs other
> than /var/log/httpd in the first place) use httpd_sys_ra_content_t This is
> the type for readable/appendable (and creatable but not writable) files by
> httpd_t, and httpd_sys_script_t
> 
> This:
> 
>> semanage fcontext -a -t httpd_log_t '/WEBS/[^/]+/[^/]+/logs'
>> 
> 
> .. Is wrong. Use this instead:
> 
>> semanage fcontext -a -t httpd_sys_ra_content_t
>> '/WEBS/[^/]+/[^/]+/logs(/.*)?'
> 
> Then restorecon -R -v -F /WEBS/*/logs
> 
> 
> 
> 
I am not sure I would label lost+found directory differently.  Since this is
still httpd_sys_content_t.

The only reason to label content httpd_log_t versus httpd_sys_ra_content_t is
if the log files need to be used by log applications like logrotate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKfPjcACgkQrlYvE4MpobMkUwCaA/gqqpBvALHlTzqHYbSViWzk
obwAoIWUyR6iTBNG5SpMS6q5y6uGt0x1
=VfV5
-----END PGP SIGNATURE-----

More information about the selinux mailing list