Confused about /var/www contexts
paul at city-fan.org
Wed May 28 07:59:10 UTC 2008
Jason L Tibbitts III wrote:
> I'm trying to understand why, on an updated F8 machine with
> selinux-policy-3.0.8-101.fc8.noarch and
> selinux-policy-targeted-3.0.8-101.fc8.noarch, /var/www/blah/cgi-bin
> doesn't end up as httpd_sys_script_exec_t.
> semanage fcontext -l says (among many other lines, of course):
> /var/www/[^/]*/cgi-bin(/.*)? all files system_u:object_r:httpd_sys_script_exec_t:s0
> and yet:
> > sudo restorecon -R -v /var/www
> > ls -lZ /var/www/blah
> drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 cgi-bin/
> Am I misinterpreting the semanage output above? Is it possible that
> the following line, which appears earlier in the semanage output, is overriding?
> /var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
httpd_sys_content_t is a customizable type and will be left alone by
restorecon unless you use -F. This may change before much longer though,
given that it's easier to manage file contexts using semanage than it
was when customizable types were introduced.
More information about the fedora-selinux-list