-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Taylor wrote: > On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote: >> On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote: >>> ttaylor wrote: >>>> Does anything special have to be done to cause SELinux to start >> using newly >>>> added local filecontexts? What I'm finding is that if I use >> semanage >>>> fcontext -a to add a local filecontext definition, it is not used >> by >>>> restorecon unless I specify the "-F" option. Without the "-F" >> option, >>>> restorecon -vv <file_path> gives the following message: >>>> >>>> /sbin/restorecon: <file_path> not reset customized by admin to >>>> <current_context> >>>> >>>> but restorecon -vv -F <file_path> gives this: >>>> >>>> /sbin/restorecon reset <file_path> context >> <current_context>-><new_context> >>> This is probably because <current_context> is a customizable type >> like >>> httpd_sys_content_t; objects with these types don't get reset by >>> restorecon unless you use -F. I'm not sure how to find out which >> types >>> are customizable off the top of my head though. >> cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types >> >> Dan - I thought we had discussed reducing that set significantly since >> it was originally to avoid clobbering locally-set types upon a >> filesystem relabel prior to the introduction of semanage, but with >> users >> now able to add local file contexts easily via semanage fcontext -a, >> it >> isn't as necessary. > > This is exactly my situation. I am using Fedora 8 with all the latest > updates. I had used semanage to add a filecontext which would cause > particular directories to be labeled with the type httpd_sys_script_rw_t > which is a customizable type. > > The directory I was trying to label was under /var/www which has a > context of httpd_sys_content_t which is also a customizabile type. So > why is it that new directories under /var/www are automatically labeled > with the httpd_sys_content_t type, but things that match my added > filecontext don't automatically get labeled with httpd_sys_script_rw_t, > and require the use of restorecon -F? > > Here's the specifics: > > The command I used to add my local context: > semanage fcontext -d -f -d -t httpd_sys_script_rw_t > "/var/www/wikis/[^/]+/images" > > I then create a directory that matches the above pattern: > mkdir -p /var/www/wikis/foo/images > > The directory is created, but has the type httpd_sys_content_t. > > Now I use restorecon to relabel: > restorecon -vv /var/www/wikis/foo/images > > This gives me the following message: > /sbin/restorecon: /var/www/wikis/foo/images not reset customized by > admin to system_u:object_r:httpd_sys_content_t:s0 > > Now run restorecon with the force flag: > restorecon -vv -F /var/www/wikis/foo/images > > Gives this message: > restorecon reset /var/www/wikis/foo/images context > system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0 > > Since both types are in the customizable_types file, why is one > automatically used, and the other only used when forced? > > - Tim New Files/Directories adopt the context of their parent directry by default. Unless the program is SELinux aware or a transition rule was written in policy dhcp_t creating files in directories labeled etc_t get a file context of net_conf_t. So since mkdir is not selinux aware and no policy rule has been defined, you create the directory with the same context as the parent. httpd_sys_content_t in both cases. restorecon reads the file context file and assigns the correct context after creation. >> -- >> Stephen Smalley >> National Security Agency >> >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkfe4wUACgkQrlYvE4MpobM3SwCeIdXCI4G4d7zPyV0sop/sepRe W8UAl21UT2Z2KpZPW/aFoO7Ft92UMaM= =nXDO -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
