restorecon question

Vadym Chepkov chepkov at yahoo.com
Wed Jul 22 19:57:36 UTC 2009 

You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:

....
httpd_sys_content_t
httpd_sys_htaccess_t
httpd_sys_script_exec_t
httpd_sys_script_ra_t
httpd_sys_script_ro_t
httpd_sys_script_rw_t
httpd_unconfined_script_exec_t
....

May I ask, why do they set this way?

Sincerely yours,
  Vadym Chepkov


--- On Wed, 7/22/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: restorecon question
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Wednesday, July 22, 2009, 2:33 PM
> On Wed, 2009-07-22 at 11:06 -0700,
> Vadym Chepkov wrote:
> > Hi,
> > 
> > Could you explain me, please, the behavior of the
> restorecon utility.
> > 
> > I added the following in the local.fc file
> > 
> > # phpbb
> > /var/www/phpbb/cache(/.*)?   
>            
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
> > /var/www/phpbb/files(/.*)?   
>            
> gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
> > 
> > compiled and installed policy, seems to be in place.
> > 
> > # semanage fcontext -l|grep phpbb
> > /var/www/phpbb/cache(/.*)?       
>              
>    all files       
>   system_u:object_r:httpd_sys_script_rw_t:s0 
> > /var/www/phpbb/files(/.*)?       
>              
>    all files       
>   system_u:object_r:httpd_sys_script_rw_t:s0 
> > 
> > But when now I run restorecon -vR /var/www/phpbb/
> > it doesn't do anything. I would expect it to changed
> context on two directories and files in them.
> > 
> > Only if I specify -F (force) I relabel everything.
> > I can't quite grasp why sometimes I don't have to
> supply -F and sometimes I do.
> 
> Not completely sure but i think it may have to do with
> customizable
> types. Customizable types are types that should not be
> relabeled.
> 
> This can be overridden with the -F (force) option.
> 
> Again i am not quite sure if this is the case here because
> in my system
> the httpd_sys_content_t type is not added to the
> customizable_types
> files.
> 
> less /etc/selinux/targeted/contexts/custom*
> 
> If i am wrong i hope someone will correct me.
> 
> > Thank you.
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list