-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/09/2015 01:59 AM, Erinn Looney-Triggs wrote: > I have a passenger app that is installed on the system. I have the > following in file_contexts.local: > > /var/www/foo/releases/.*/tmp(/.*)? > unconfined_u:object_r:httpd_sys_rw_content_t:s0 > > However, on creating the tmp directory: releases $ sudo mkdir -p > foo/tmp/ releases $ cd foo/ foo $ ls -lZ drwxr-sr-x. root > developers unconfined_u:object_r:httpd_sys_content_t:s0 tmp > > But matchpathcon returns the right label: matchpathcon tmp/ tmp > unconfined_u:object_r:httpd_sys_rw_content_t:s0 > > And a restorecon sets it properly to rw. > > So, umm, what is the deal here? There is something I am missing > for sure. This is on RHEL 7.1 with the latest and greatest > everything. Oddly I think, but am not sure, that this wasn't a > problem with 7.0. > > Thoughts? Thanks. > > -Erinn -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > It follows default object labeling rules in SELinux. If you don't have defined type transitions then it inherits labeling from the parent directory. In your case $ matchpathcon /var/www/foo/releases /var/www/foo/releases system_u:object_r:httpd_sys_content_t:s0 You need to run restorecon if you create it by hand or you can defined transitions rules for it. Or you can create it using mkdir -Z -p foo/tmp - -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVTw4nAAoJENrcHks50T0JV4UIAJ1TrsndIIhW0q67ZHXQDvlk F52M9TdrpTRAXtmARW7zX3tH8e1D3zOKngOmzKN8NaOjUcvN4lyQP2h3SUj+BO3k /f3mBITgd4Ay7YMpKrV5+TJaeGTcbz8JguyZ673xVoAuzhH2A86QtK3Ia2D1dT5R gipjI8tmXsKys+1+fX/e4JzywKY6lir03+S4wAgMktF//v6gne/cZABCaOGwhpWy 46gxYNuQtPWuD7hP+8MC9pov5gD0joxS5dIygzUZPeySs1wad/8/NPMQ//MYEcYH YgBXBrKRmFGxUEULjzxj8p6MdQj4FMIsY5J7LoXmx4jZH7G78PI/2D3PBkKnsKg= =Rd1+ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
