restorecon works but fcontext returns back to its default

Daniel J Walsh dwalsh at redhat.com
Mon Mar 3 14:45:19 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2014 09:34 AM, Shintaro Fujiwara wrote:
> Hi.
> 
> I'm working with my web server and minor trouble I'm in.
> 
> I write a php script which writes to /var/www/html/javascripts directory. 
> So, I added by semanage command # semanage fcontext -a -t
> httpd_sys_rw_content_t "/var/www/html/javascripts(/.*)? I checked by 
> #semanage fcontext -l | grep /var/www/html Found what I set. So, I typed #
> restorecon -r -v /var/www/html I checked by semanage fcontext -l command
> again and found that the directory has httpd_sys_rw_content_t. So, I fired
> up php script to write a file in /var/www/html/javascripts Alas, audit
> error, and this time, semanage fcontext -l says /var/www/html/javascripts
> has an context httpd_sys_content_t.
> 
> I have to restorecon every time I write file to /var/www/html/javascripts
> by php script.
> 
> Why restorecon works fine at first and next time doesn't work at all?
> 
Try with -F.   restorecon does not change files with types listed in
/etc/selinux/targeted/contexts/customizable_types

http://danwalsh.livejournal.com/3687.html
...

ls /etc/selinux/targeted/contexts

    customizable_types
        These are a list of file types that restorecon will ignore.  So if you
want to relabel your entire system using restorecon, and a file is labeled
with a context in this file, the context will not be changed.  This can be
overridden with the -F flag.  This allows you to specify special directories
on your system as being readable by apache.  So if you chcon -R -t
httpd_sys_content_t  /var/myhtml, a relabel will not change this directory
tree back to var_t.

> -- 日本にヘヴィメタル・ハードロックを根付かせるページ http://www.heavymetalhardrock.tk/
> 
> 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
> 
> CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMUlX4ACgkQrlYvE4MpobNoKgCfYfEScvcajepheZudAizhER7X
pa0AoNraIlIP1LDzy6PjbvOiheYkU8mP
=tj5x
-----END PGP SIGNATURE-----

More information about the selinux mailing list