I have a question about how context inheritance works in SELinux. The correct file context is already defined in /etc/selinux/targeted/contexts/files/file_contexts as: /home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t However, this context is not inherited when creating a public_html directory as a user or as root in a user home directory. In otherwords, when creating a public_html directory, this is what you get: drwxrwxr-x cbell cbell user_u:object_r:user_home_t public_html (I must admit some confusion about the initial user_u user context since this is not defined in file_contexts). Here you see that the user context is set to user_u, the role is set to object_r, and the type is set to user_home_t. This is (in)correctly inherited from the /home directory's context. Simply running restorecon -v -R /home/ (as a user or root) will fix it to read thusly: drwxrwxr-x cbell cbell system_u:object_r:httpd_user_content_t public_html At anyrate, the user label is correctly set to system_u, the role is unchanged with object_r, and the type is changed to http_user_content_t. This is the context I'd like public_html directories to automatically assume when created. Is this possible? Further puzzles: When creating files in this public_html directory (after resetting the directory to the correct context) yields more puzzling results: [cbell@circe public_html]$ touch test [cbell@circe public_html]$ ls -Z -rw-rw-r-- cbell cbell user_u:object_r:httpd_sys_content_t test Note that in this case, the file has been set to user context user_u, role object_r, and type httpd_sys_content_t. This is the type that's supposedly reserved for the machine's public web directories: (from file_contexts) /var/www(/.*)? system_u:object_r:httpd_sys_content_t Again, one must run restorecon to correctly set the context on this file to: -rw-rw-r-- cbell cbell system_u:object_r:httpd_user_content_t test So my questions are fourfold: o How can one cause the correct httpd_user_content_t type to be automatically assigned to user public_html directories (and subdirectories)? o How can one cause the correct httpd_user_content_t type to be automatically assigned to user content (files) in user public_html directores? o Why are files initially receiving a user context of user_u rather than system_u ? And one file, slightly unrelated question: o When I installed this server and restored user data to it, the user context on all the files was set to root rather than user_u (and why not system_u?). I've reset everything to the correct user context with chcon, but I'd like to know why this happened. Thank you all for your insight! -- Chris "Build a man a fire and he will be warm for the rest of the night. Set a man on fire and he will be warm for the rest of his life." -- Unknown
