On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote: > > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote: > > ttaylor wrote: > > > Does anything special have to be done to cause SELinux to start > using newly > > > added local filecontexts? What I'm finding is that if I use > semanage > > > fcontext -a to add a local filecontext definition, it is not used > by > > > restorecon unless I specify the "-F" option. Without the "-F" > option, > > > restorecon -vv <file_path> gives the following message: > > > > > > /sbin/restorecon: <file_path> not reset customized by admin to > > > <current_context> > > > > > > but restorecon -vv -F <file_path> gives this: > > > > > > /sbin/restorecon reset <file_path> context > <current_context>-><new_context> > > > > This is probably because <current_context> is a customizable type > like > > httpd_sys_content_t; objects with these types don't get reset by > > restorecon unless you use -F. I'm not sure how to find out which > types > > are customizable off the top of my head though. > > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types > > Dan - I thought we had discussed reducing that set significantly since > it was originally to avoid clobbering locally-set types upon a > filesystem relabel prior to the introduction of semanage, but with > users > now able to add local file contexts easily via semanage fcontext -a, > it > isn't as necessary. This is exactly my situation. I am using Fedora 8 with all the latest updates. I had used semanage to add a filecontext which would cause particular directories to be labeled with the type httpd_sys_script_rw_t which is a customizable type. The directory I was trying to label was under /var/www which has a context of httpd_sys_content_t which is also a customizabile type. So why is it that new directories under /var/www are automatically labeled with the httpd_sys_content_t type, but things that match my added filecontext don't automatically get labeled with httpd_sys_script_rw_t, and require the use of restorecon -F? Here's the specifics: The command I used to add my local context: semanage fcontext -d -f -d -t httpd_sys_script_rw_t "/var/www/wikis/[^/]+/images" I then create a directory that matches the above pattern: mkdir -p /var/www/wikis/foo/images The directory is created, but has the type httpd_sys_content_t. Now I use restorecon to relabel: restorecon -vv /var/www/wikis/foo/images This gives me the following message: /sbin/restorecon: /var/www/wikis/foo/images not reset customized by admin to system_u:object_r:httpd_sys_content_t:s0 Now run restorecon with the force flag: restorecon -vv -F /var/www/wikis/foo/images Gives this message: restorecon reset /var/www/wikis/foo/images context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0 Since both types are in the customizable_types file, why is one automatically used, and the other only used when forced? - Tim > > -- > Stephen Smalley > National Security Agency > > > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
