Improper labelling on creation.

[Miroslav Grepl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/09/2015 01:59 AM, Erinn Looney-Triggs wrote:
> I have a passenger app that is installed on the system. I have the 
> following in file_contexts.local:
> 
> /var/www/foo/releases/.*/tmp(/.*)? 
> unconfined_u:object_r:httpd_sys_rw_content_t:s0
> 
> However, on creating the tmp directory: releases $ sudo mkdir -p
> foo/tmp/ releases $ cd foo/ foo $ ls -lZ drwxr-sr-x. root
> developers unconfined_u:object_r:httpd_sys_content_t:s0 tmp
> 
> But matchpathcon returns the right label: matchpathcon tmp/ tmp
> unconfined_u:object_r:httpd_sys_rw_content_t:s0
> 
> And a restorecon sets it properly to rw.
> 
> So, umm, what is the deal here? There is something I am missing
> for sure. This is on RHEL 7.1 with the latest and greatest
> everything. Oddly I think, but am not sure, that this wasn't a
> problem with 7.0.
> 
> Thoughts? Thanks.
> 
> -Erinn -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

It follows default object labeling rules in SELinux. If you don't have
defined type transitions then it inherits labeling from the parent
directory.

In your case

$ matchpathcon /var/www/foo/releases
/var/www/foo/releases	system_u:object_r:httpd_sys_content_t:s0


You need to run restorecon if you create it by hand or you can defined
transitions rules for it.

Or you can create it using

mkdir -Z -p foo/tmp

- -- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVTw4nAAoJENrcHks50T0JV4UIAJ1TrsndIIhW0q67ZHXQDvlk
F52M9TdrpTRAXtmARW7zX3tH8e1D3zOKngOmzKN8NaOjUcvN4lyQP2h3SUj+BO3k
/f3mBITgd4Ay7YMpKrV5+TJaeGTcbz8JguyZ673xVoAuzhH2A86QtK3Ia2D1dT5R
gipjI8tmXsKys+1+fX/e4JzywKY6lir03+S4wAgMktF//v6gne/cZABCaOGwhpWy
46gxYNuQtPWuD7hP+8MC9pov5gD0joxS5dIygzUZPeySs1wad/8/NPMQ//MYEcYH
YgBXBrKRmFGxUEULjzxj8p6MdQj4FMIsY5J7LoXmx4jZH7G78PI/2D3PBkKnsKg=
=Rd1+
-----END PGP SIGNATURE-----