Questions about Apache and SELinux context inheritance

Christofer C. Bell christofer.c.bell at
Sun Mar 13 00:46:19 UTC 2005

I have a question about how context inheritance works in SELinux.

The correct file context is already defined in
/etc/selinux/targeted/contexts/files/file_contexts as:


However, this context is not inherited when creating a public_html
directory as a user or as root in a user home directory.  In
otherwords, when creating a public_html directory, this is what you

drwxrwxr-x  cbell    cbell    user_u:object_r:user_home_t      public_html

(I must admit some confusion about the initial user_u user context
since this is not defined in file_contexts).  Here you see that the
user context is set to user_u, the role is set to object_r, and the
type is set to user_home_t.  This is (in)correctly inherited from the
/home directory's context.

Simply running restorecon -v -R /home/ (as a user or root)  will fix
it to read thusly:

drwxrwxr-x  cbell    cbell    system_u:object_r:httpd_user_content_t public_html

At anyrate, the user label is correctly set to system_u, the role is
unchanged with object_r, and the type is changed to
http_user_content_t.  This is the context I'd like public_html
directories to automatically assume when created.  Is this possible?

Further puzzles:

When creating files in this public_html directory (after resetting the
directory to the correct context) yields more puzzling results:

[cbell at circe public_html]$ touch test
[cbell at circe public_html]$ ls -Z
-rw-rw-r--  cbell    cbell    user_u:object_r:httpd_sys_content_t test

Note that in this case, the file has been set to user context user_u,
role object_r, and type httpd_sys_content_t.  This is the type that's
supposedly reserved for the machine's public web directories:

(from file_contexts)
/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t

Again, one must run restorecon to correctly set the context on this file to:

-rw-rw-r--  cbell    cbell    system_u:object_r:httpd_user_content_t test

So my questions are fourfold:

o How can one cause the correct httpd_user_content_t type to be
automatically assigned to user public_html directories (and

o How can one cause the correct httpd_user_content_t type to be
automatically assigned to user content (files) in user public_html

o Why are files initially receiving a user context of user_u rather
than system_u ?

And one file, slightly unrelated question:

o When I installed this server and restored user data to it, the user
context on all the files was set to root rather than user_u (and why
not system_u?).  I've reset everything to the correct user context
with chcon, but I'd like to know why this happened.

Thank you all for your insight!


"Build a man a fire and he will be warm for the rest of the night.  Set
a man on fire and he will be warm for the rest of his life."  -- Unknown

More information about the fedora-selinux-list mailing list