On Thu, 2012-08-16 at 15:34 -0400, m.roth@xxxxxxxxx wrote: > chcon doesn't last through reboots. Why? Or why have it? > semanage doesn't offer the most obvious flag: -R, recurse. SELinux is a Mandatory Access Control Architecture. Policy and file context specification are managed centralized generally. semanage fcontext is used to specify file contexts centralized (system wide) In general when possible one should always use semanage fcontext with restorecon. Then why need chcon? well one can design policy configurations to give unprivileged users some discretion over labeling without them having access to the centralized file context specifications. Some locations are ignored when it comes to maintaining file contexts, like for example /tmp. users have some discretion over labeling there. All they need is have permission to relabelfrom the current type and relabelto permission to the target type. One could for example use chcon to label a file one created in /tmp to relabel from user_tmp_t to user_home_t. I can't think of any reason off the top of my head why one would do that but since the user has full access to both types and because selinux doesnt have centalized file context specifications for content in /tmp, it is possbile. That is done because of some properties of the optional mls and mcs security models (but that is beyond the scope of this email) One more practical example of the use of chcon is for example providing httpd userdirs. httpd is or can be configured to host content in ~/public_html. What type of httpd content is in there depends on the user. The user has the discretion to label httpd user content according to their requirements. As you may know there are various httpd content types. ( each type has its own properties) httpd_user_content_t (httpd user content type that is only readable by webserver, useful for static webpages and other read-only content) httpd_user_content_ra_t ( httpd user content type that is readable and appendable by webserver, useful for webapp log files. httpd_user_content_rw_t ( httpd user content type that is readable and writable by webserver, useful for upload directories etc) httpd_user_htaccess_t ( httpd user content type for content that is readable by webserver useful for htpasswd and htaccess files httpd_user_script_exec_t ( httpd user content type for context that is execauble by webserver ( useful for cgi, webapp executable files etc) The only thing that is managed centralized is the file context for ~/public_html ( httpd_user_content_t) and the userdir configuration in httpd.conf ( where its specified that userdirs are in ~/public_html ) The labeling below ~/public_html is to the discretion of the user to some extend. If you have a webapp that needs to write to a upload directory then you, as an unprivilged user, can chcon a dir for example: ~/public_html/mywebapp/uploads with type httpd_user_content_rw_t. SElinux will not try to reset that unless you use restorecon with the -F ( force ) option. There is some mechanism in place that tells selinux to ignore some types when it comes to restoring file contexts ( its called customizable types) those customizable types are specified in /etc/selinux/targeted/contexts/files/customizable_types. chcon is useful but generally only for unprivileged users. if you are allowed to use semanage then use that instead. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
