risk of losing httpd_user_script_exec_t labels?
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 14 17:46:12 UTC 2006
Erik Sjölund wrote:
> If I inactivate httpd_unified and start using httpd_user_script_exec_t
> and httpd_user_script_rw_t in /home/erik/public_html, will those
> labels get lost (i.e reverted to httpd_user_content_t ) if I run
> "/sbin/fixfiles relabel"?
>
> What I'm more concerned of is if a
> "yum update selinux-policy-targeted"
> could force a relabeling and therefore loss of httpd_user_script_rw_t labels?
>
> A quick test shows that /sbin/restorecon converts httpd_user_script_rw_t to
> httpd_user_content_t.
> Though, I haven't tried "sbin/fixfiles relabel" yet.
>
> [erik at www ~]$ cd ~/public_html
> [erik at www public_html]$ chcon user_u:object_r:httpd_user_script_exec_t
> script.cgi
> [erik at www public_html]$ ls -lZ script.cgi
> -rwxr-xr-x erik others user_u:object_r:httpd_user_script_exec_t script.cgi
> [erik at www public_html]$ /sbin/restorecon script.cgi
> [erik at www public_html]$ ls -lZ script.cgi
> -rwxr-xr-x erik others system_u:object_r:httpd_user_content_t script.cgi
> [erik at www public_html]$ /usr/sbin/getsebool -a | grep unifi
> httpd_unified --> inactive
>
That looks like a bug. What OS? Policy version are you using?
httpd_user_script* are supposed to be
customizable types, which means that restorecon/setfiles/fixfiles leaves
them alone by default.
> cheers,
> Erik Sjölund
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list