Questions about Apache and SELinux context inheritance
Christofer C. Bell
christofer.c.bell at gmail.com
Sun Mar 13 00:46:19 UTC 2005
I have a question about how context inheritance works in SELinux.
The correct file context is already defined in
/etc/selinux/targeted/contexts/files/file_contexts as:
/home/[^/]+/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_user_content_t
However, this context is not inherited when creating a public_html
directory as a user or as root in a user home directory. In
otherwords, when creating a public_html directory, this is what you
get:
drwxrwxr-x cbell cbell user_u:object_r:user_home_t public_html
(I must admit some confusion about the initial user_u user context
since this is not defined in file_contexts). Here you see that the
user context is set to user_u, the role is set to object_r, and the
type is set to user_home_t. This is (in)correctly inherited from the
/home directory's context.
Simply running restorecon -v -R /home/ (as a user or root) will fix
it to read thusly:
drwxrwxr-x cbell cbell system_u:object_r:httpd_user_content_t public_html
At anyrate, the user label is correctly set to system_u, the role is
unchanged with object_r, and the type is changed to
http_user_content_t. This is the context I'd like public_html
directories to automatically assume when created. Is this possible?
Further puzzles:
When creating files in this public_html directory (after resetting the
directory to the correct context) yields more puzzling results:
[cbell at circe public_html]$ touch test
[cbell at circe public_html]$ ls -Z
-rw-rw-r-- cbell cbell user_u:object_r:httpd_sys_content_t test
Note that in this case, the file has been set to user context user_u,
role object_r, and type httpd_sys_content_t. This is the type that's
supposedly reserved for the machine's public web directories:
(from file_contexts)
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
Again, one must run restorecon to correctly set the context on this file to:
-rw-rw-r-- cbell cbell system_u:object_r:httpd_user_content_t test
So my questions are fourfold:
o How can one cause the correct httpd_user_content_t type to be
automatically assigned to user public_html directories (and
subdirectories)?
o How can one cause the correct httpd_user_content_t type to be
automatically assigned to user content (files) in user public_html
directores?
o Why are files initially receiving a user context of user_u rather
than system_u ?
And one file, slightly unrelated question:
o When I installed this server and restored user data to it, the user
context on all the files was set to root rather than user_u (and why
not system_u?). I've reset everything to the correct user context
with chcon, but I'd like to know why this happened.
Thank you all for your insight!
--
Chris
"Build a man a fire and he will be warm for the rest of the night. Set
a man on fire and he will be warm for the rest of his life." -- Unknown
More information about the fedora-selinux-list
mailing list