SELinux problem (was Re: Is httpd in FC3 chrooted???)

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Feb 8 14:34:20 UTC 2005 

D. D. Brierton wrote:
> On Tue, 2005-02-08 at 13:33 +0000, D. D. Brierton wrote:
> 
> 
>>Okay, it seems it's SELinux related. I'm currently reading my way
>>through
>>
>>http://fedora.redhat.com/docs/selinux-apache-fc3/
>>
>>but if anyone has some advice I'd be grateful. Thanks!
> 
> 
> One problem is that it seems that most of the files in my /home
> partition don't have *any* SELinux security context, only newly created
> files do.
> 
> Furthermore, the document above says that files in my home directory
> should have type "user_home_t", whereas in fact all of the newly created
> files in my home directory which do have a security context just have
> type "file_t". Sigh. I'm confused. This is a bit of a baptism by fire --
> all I wanted to do was get on with my work and instead I've spent the
> morning learning about SELinux.
> 
> I tried to use restorecon, but it segfaults:
> 
> $ /sbin/restorecon -R -v /home/darren
> /sbin/restorecon reset context /home/darren:->system_u:object_r:user_home_dir_t
> Segmentation fault
> 
> I need to use either
> 
> chcon -R -t httpd_sys_content_t public_html
> 
> or
> 
> chcon -R -t httpd_user_content_t public_html
> 
> I think, so that Apache can access the DocumentRoots of my VirtualHosts
> (they're all in ~/public_html/), but when I try either I get:
> 
> chcon: can't apply partial context to unlabeled file public_html/
> 
> which I take to mean that I also need to supply values for -u and -r,
> but I don't what values I should be using.
> 
> I'd really appreciate some help!

This is really strange.  You shouldn't be getting segfaults, and 
public_html should be assigned correct label when created.

Are you using targeted or strict policy?  In both cases, check if you 
have latest RPM installed (selinux-policy-targeted or 
selinux-policy-strict, depending which policy you are using).  I 
remember that after upgrading selinux-policy-targeted I had to relabel 
everything on the system (I was getting some strange errors on some 
parts of file system, so instead of hunting file by file what needs to 
be relabeled, I relabeled everything).  Who knows, maybe you are 
experiencing something similar.  Easiest way to do that is:

    # touch /.autorelabel
    # reboot

During boot, selinux will be temporarely disabled, all files assigned 
correct labels, and than selinux will be reenabled.  The /.autorelabel 
will be automatically removed after relabeling is done.  If you have 
only basic, minimalistic system installed, it will be relatively fast. 
If you installed bunch of files, or have huge /home, it may take a while 
to finish.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list