restorecon works but fcontext returns back to its default
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 3 14:45:19 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2014 09:34 AM, Shintaro Fujiwara wrote:
> Hi.
>
> I'm working with my web server and minor trouble I'm in.
>
> I write a php script which writes to /var/www/html/javascripts directory.
> So, I added by semanage command # semanage fcontext -a -t
> httpd_sys_rw_content_t "/var/www/html/javascripts(/.*)? I checked by
> #semanage fcontext -l | grep /var/www/html Found what I set. So, I typed #
> restorecon -r -v /var/www/html I checked by semanage fcontext -l command
> again and found that the directory has httpd_sys_rw_content_t. So, I fired
> up php script to write a file in /var/www/html/javascripts Alas, audit
> error, and this time, semanage fcontext -l says /var/www/html/javascripts
> has an context httpd_sys_content_t.
>
> I have to restorecon every time I write file to /var/www/html/javascripts
> by php script.
>
> Why restorecon works fine at first and next time doesn't work at all?
>
Try with -F. restorecon does not change files with types listed in
/etc/selinux/targeted/contexts/customizable_types
http://danwalsh.livejournal.com/3687.html
...
ls /etc/selinux/targeted/contexts
customizable_types
These are a list of file types that restorecon will ignore. So if you
want to relabel your entire system using restorecon, and a file is labeled
with a context in this file, the context will not be changed. This can be
overridden with the -F flag. This allows you to specify special directories
on your system as being readable by apache. So if you chcon -R -t
httpd_sys_content_t /var/myhtml, a relabel will not change this directory
tree back to var_t.
> -- 日本にヘヴィメタル・ハードロックを根付かせるページ http://www.heavymetalhardrock.tk/
>
> 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
>
> CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMUlX4ACgkQrlYvE4MpobNoKgCfYfEScvcajepheZudAizhER7X
pa0AoNraIlIP1LDzy6PjbvOiheYkU8mP
=tj5x
-----END PGP SIGNATURE-----
More information about the selinux
mailing list