How to label top level non default dirs
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 21 12:25:52 UTC 2009
On 04/21/2009 07:31 AM, Tony Molloy wrote:
> Hi,
>
> If I have a top level non default directory say for argument called /data.
> This directory contains various scripts and text files which should be
> available to everyone. Now when I do an install it gets the default selinux
> context file_t. But this generates lots of AVC's if I set selinux to
> enforcing. What should I label this directory as.
>
> Regards,
>
> Tony
>
You should never get a file/directory labeled file_t. These should only
be able to be created on machines without SELInux. file_t means no
label at all. If you run restorecon on /data it will get assigned
default_t.
restorecon -R -v /data
This label should be available to the unconfined user and not available
to any confined domain. That will probably fix most of your avc's If
you wanted to label it like a home directory you could set it's labeling
to user_home_t.
# semanage fcontext -a -t user_home_t '/data(/.*)?'
# restorecon -R -v /data
This would allow all confined domains that have access to the home
directory access to these files. If you want to give access to apache,
you might need to assign a different context.
More information about the fedora-selinux-list
mailing list