On Wed, 2007-12-19 at 09:12 -0500, Stephen Smalley wrote: > On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote: > > On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote: > > [...] > > > Try restorecon -FRv /var/www > > > > Yeah that solved the problem. The -F option is a little bit tricky ;-) > > Never expected something like that. > > /etc/selinux/targeted/contexts/customizable_types was created to allow > programs like restorecon to omit files with certain types from being > relabeled by default, so that admin customizations wouldn't be lost. > The httpd-related types are a common case of this, where the admin wants > to manually manage the type under the web root and not have them > clobbered. As to whether it still makes sense when we have semanage > fcontext, I'm not sure. I think at least from an user point of view it is misleading. I just wanted to create a policy for some CGI/PHP webserver stuff which I could role out to my clients. And if a client runs into some trouble, gets some AVC messages etc., he just uses "fixfiles relabel" or even "touch /.autorelabel && reboot". I think that's the normal behavior of a non SELinux hacker. So in the end removing it (or just ship an empty customizable_types file like you pointed out) would be a good thing.
Attachment:
signature.asc
Description: This is a digitally signed message part
