Erik Sjölund wrote:
If I inactivate httpd_unified and start using httpd_user_script_exec_t
and httpd_user_script_rw_t in /home/erik/public_html, will those
labels get lost (i.e reverted to httpd_user_content_t ) if I run
"/sbin/fixfiles relabel"?
What I'm more concerned of is if a
"yum update selinux-policy-targeted"
could force a relabeling and therefore loss of httpd_user_script_rw_t labels?
A quick test shows that /sbin/restorecon converts httpd_user_script_rw_t to
httpd_user_content_t.
Though, I haven't tried "sbin/fixfiles relabel" yet.
[erik@www ~]$ cd ~/public_html
[erik@www public_html]$ chcon user_u:object_r:httpd_user_script_exec_t
script.cgi
[erik@www public_html]$ ls -lZ script.cgi
-rwxr-xr-x erik others user_u:object_r:httpd_user_script_exec_t script.cgi
[erik@www public_html]$ /sbin/restorecon script.cgi
[erik@www public_html]$ ls -lZ script.cgi
-rwxr-xr-x erik others system_u:object_r:httpd_user_content_t script.cgi
[erik@www public_html]$ /usr/sbin/getsebool -a | grep unifi
httpd_unified --> inactive
That looks like a bug. What OS? Policy version are you using?
httpd_user_script* are supposed to be
customizable types, which means that restorecon/setfiles/fixfiles leaves
them alone by default.
cheers,
Erik Sjölund
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
