Question on semanage fcontext -a

Tim Taylor ttaylor at mitre.org
Mon Mar 17 20:16:51 UTC 2008 

On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> 
> On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > ttaylor wrote:
> > > Does anything special have to be done to cause SELinux to start
> using newly
> > > added local filecontexts?  What I'm finding is that if I use
> semanage
> > > fcontext -a to add a local filecontext definition, it is not used
> by
> > > restorecon unless I specify the "-F" option.  Without the "-F"
> option,
> > > restorecon -vv <file_path> gives the following message:
> > >
> > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > <current_context>
> > >
> > > but restorecon -vv -F <file_path> gives this:
> > >
> > > /sbin/restorecon reset <file_path> context
> <current_context>-><new_context>
> >
> > This is probably because <current_context> is a customizable type
> like
> > httpd_sys_content_t; objects with these types don't get reset by
> > restorecon unless you use -F. I'm not sure how to find out which
> types
> > are customizable off the top of my head though.
> 
> cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> 
> Dan - I thought we had discussed reducing that set significantly since
> it was originally to avoid clobbering locally-set types upon a
> filesystem relabel prior to the introduction of semanage, but with
> users
> now able to add local file contexts easily via semanage fcontext -a,
> it
> isn't as necessary.

This is exactly my situation.  I am using Fedora 8 with all the latest
updates.  I had used semanage to add a filecontext which would cause
particular directories to be labeled with the type httpd_sys_script_rw_t
which is a customizable type.

The directory I was trying to label was under /var/www which has a
context of httpd_sys_content_t which is also a customizabile type.  So
why is it that new directories under /var/www are automatically labeled
with the httpd_sys_content_t type, but things that match my added
filecontext don't automatically get labeled with httpd_sys_script_rw_t,
and require the use of restorecon -F?

Here's the specifics:

The command I used to add my local context:
semanage fcontext -d -f -d -t httpd_sys_script_rw_t
"/var/www/wikis/[^/]+/images"

I then create a directory that matches the above pattern:
mkdir -p /var/www/wikis/foo/images

The directory is created, but has the type httpd_sys_content_t.

Now I use restorecon to relabel:
restorecon -vv /var/www/wikis/foo/images

This gives me the following message:
/sbin/restorecon: /var/www/wikis/foo/images not reset customized by
admin to system_u:object_r:httpd_sys_content_t:s0

Now run restorecon with the force flag:
restorecon -vv -F /var/www/wikis/foo/images

Gives this message:
restorecon reset /var/www/wikis/foo/images context
system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0

Since both types are in the customizable_types file, why is one
automatically used, and the other only used when forced?

- Tim
> 
> --
> Stephen Smalley
> National Security Agency
> 
> 
>

More information about the fedora-selinux-list mailing list