Question on semanage fcontext -a

Mon Mar 17 21:30:45 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim Taylor wrote:
> On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
>> On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
>>> ttaylor wrote:
>>>> Does anything special have to be done to cause SELinux to start
>> using newly
>>>> added local filecontexts?  What I'm finding is that if I use
>> semanage
>>>> fcontext -a to add a local filecontext definition, it is not used
>> by
>>>> restorecon unless I specify the "-F" option.  Without the "-F"
>> option,
>>>> restorecon -vv <file_path> gives the following message:
>>>>
>>>> /sbin/restorecon: <file_path> not reset customized by admin to
>>>> <current_context>
>>>>
>>>> but restorecon -vv -F <file_path> gives this:
>>>>
>>>> /sbin/restorecon reset <file_path> context
>> <current_context>-><new_context>
>>> This is probably because <current_context> is a customizable type
>> like
>>> httpd_sys_content_t; objects with these types don't get reset by
>>> restorecon unless you use -F. I'm not sure how to find out which
>> types
>>> are customizable off the top of my head though.
>> cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
>>
>> Dan - I thought we had discussed reducing that set significantly since
>> it was originally to avoid clobbering locally-set types upon a
>> filesystem relabel prior to the introduction of semanage, but with
>> users
>> now able to add local file contexts easily via semanage fcontext -a,
>> it
>> isn't as necessary.
> 
> This is exactly my situation.  I am using Fedora 8 with all the latest
> updates.  I had used semanage to add a filecontext which would cause
> particular directories to be labeled with the type httpd_sys_script_rw_t
> which is a customizable type.
> 
> The directory I was trying to label was under /var/www which has a
> context of httpd_sys_content_t which is also a customizabile type.  So
> why is it that new directories under /var/www are automatically labeled
> with the httpd_sys_content_t type, but things that match my added
> filecontext don't automatically get labeled with httpd_sys_script_rw_t,
> and require the use of restorecon -F?
> 
> Here's the specifics:
> 
> The command I used to add my local context:
> semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> "/var/www/wikis/[^/]+/images"
> 
> I then create a directory that matches the above pattern:
> mkdir -p /var/www/wikis/foo/images
> 
> The directory is created, but has the type httpd_sys_content_t.
> 
> Now I use restorecon to relabel:
> restorecon -vv /var/www/wikis/foo/images
> 
> This gives me the following message:
> /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> admin to system_u:object_r:httpd_sys_content_t:s0
> 
> Now run restorecon with the force flag:
> restorecon -vv -F /var/www/wikis/foo/images
> 
> Gives this message:
> restorecon reset /var/www/wikis/foo/images context
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
> 
> Since both types are in the customizable_types file, why is one
> automatically used, and the other only used when forced?
> 
> - Tim
New Files/Directories adopt the context of their parent directry by
default.  Unless the program is SELinux aware or a transition rule was
written in policy

dhcp_t creating files in directories labeled etc_t get a file context of
 net_conf_t.

So since mkdir is not selinux aware and no policy rule has been defined,
you create the directory with the same context as the parent.
httpd_sys_content_t in both cases.

restorecon reads the file context file and assigns the correct context
after creation.

>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAkfe4wUACgkQrlYvE4MpobM3SwCeIdXCI4G4d7zPyV0sop/sepRe
W8UAl21UT2Z2KpZPW/aFoO7Ft92UMaM=
=nXDO
-----END PGP SIGNATURE-----