Question on semanage fcontext -a

Tue Mar 18 18:38:28 UTC 2008

On Tue, 2008-03-18 at 09:45 -0400, Stephen Smalley wrote:
> 
> On Mon, 2008-03-17 at 16:16 -0400, Tim Taylor wrote:
> > On Mon, 2008-03-17 at 08:07 -0400, Stephen Smalley wrote:
> > >
> > > On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> > > > ttaylor wrote:
> > > > > Does anything special have to be done to cause SELinux to
> start
> > > using newly
> > > > > added local filecontexts?  What I'm finding is that if I use
> > > semanage
> > > > > fcontext -a to add a local filecontext definition, it is not
> used
> > > by
> > > > > restorecon unless I specify the "-F" option.  Without the "-F"
> > > option,
> > > > > restorecon -vv <file_path> gives the following message:
> > > > >
> > > > > /sbin/restorecon: <file_path> not reset customized by admin to
> > > > > <current_context>
> > > > >
> > > > > but restorecon -vv -F <file_path> gives this:
> > > > >
> > > > > /sbin/restorecon reset <file_path> context
> > > <current_context>-><new_context>
> > > >
> > > > This is probably because <current_context> is a customizable
> type
> > > like
> > > > httpd_sys_content_t; objects with these types don't get reset by
> > > > restorecon unless you use -F. I'm not sure how to find out which
> > > types
> > > > are customizable off the top of my head though.
> > >
> > > cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
> > >
> > > Dan - I thought we had discussed reducing that set significantly
> since
> > > it was originally to avoid clobbering locally-set types upon a
> > > filesystem relabel prior to the introduction of semanage, but with
> > > users
> > > now able to add local file contexts easily via semanage fcontext
> -a,
> > > it
> > > isn't as necessary.
> >
> > This is exactly my situation.  I am using Fedora 8 with all the
> latest
> > updates.  I had used semanage to add a filecontext which would cause
> > particular directories to be labeled with the type
> httpd_sys_script_rw_t
> > which is a customizable type.
> >
> > The directory I was trying to label was under /var/www which has a
> > context of httpd_sys_content_t which is also a customizabile type.
> So
> > why is it that new directories under /var/www are automatically
> labeled
> > with the httpd_sys_content_t type, but things that match my added
> > filecontext don't automatically get labeled with
> httpd_sys_script_rw_t,
> > and require the use of restorecon -F?
> >
> > Here's the specifics:
> >
> > The command I used to add my local context:
> > semanage fcontext -d -f -d -t httpd_sys_script_rw_t
> > "/var/www/wikis/[^/]+/images"
> 
> This adds the entry to your file contexts configuration, a mapping
> from
> pathname regexes to file security contexts that is used to determine
> the
> right security context for a file when it is first installed (e.g. by
> rpm) or when you want to reset the filesystem to its initial state
> (e.g.
> via restorecon or fixfiles relabel), but not at runtime by the kernel.
> 
> > I then create a directory that matches the above pattern:
> > mkdir -p /var/www/wikis/foo/images
> >
> > The directory is created, but has the type httpd_sys_content_t.
> 
> For runtime file creation, the kernel labels new files based on
> either:
> 1) a type transition rule in the policy if one exists for the creating
> process' domain, the parent directory type, and the new file's
> security
> class (object type - e.g. regular file, directory, symlink, device
> node), or
> 2) the parent directory's type if no type transition rule matches.
> 
> The file contexts configuration is not used by the kernel and is only
> supposed to represent the initial install-time state of the
> filesystem.
> 
> > Now I use restorecon to relabel:
> > restorecon -vv /var/www/wikis/foo/images
> 
> restorecon does consult the file contexts configuration.
> 
> > This gives me the following message:
> > /sbin/restorecon: /var/www/wikis/foo/images not reset customized by
> > admin to system_u:object_r:httpd_sys_content_t:s0
> 
> This is because the existing type on the file is a customizable type
> and
> thus may have been manually set by the admin via chcon - this approach
> predates the introduction of semanage and as Dan said, customizable
> types has been dropped in rawhide / Fedora 9, so you won't encounter
> this problem going forward there.
> 
> > Now run restorecon with the force flag:
> > restorecon -vv -F /var/www/wikis/foo/images
> >
> > Gives this message:
> > restorecon reset /var/www/wikis/foo/images context
> >
> system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_rw_t:s0
> >
> > Since both types are in the customizable_types file, why is one
> > automatically used, and the other only used when forced?
> 
> If by automatically used, you mean at new file creation, neither file
> contexts nor customizable types has anything to do with that.  If you
> mean by restorecon, the restorecon logic is simply to not relabel a
> file
> that has a customizable type since it may have been manually set by
> the
> admin.

Thanks.  The feedback I've gotten has greatly clarified my understanding
of how SELinux labeling works.

- Tim