restorecon question
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 23 21:18:40 UTC 2009
On 07/23/2009 10:43 AM, Stephen Smalley wrote:
> On Wed, 2009-07-22 at 22:19 +0200, Dominick Grift wrote:
>> On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
>>> On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
>>>> You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
>>>>
>>>> ....
>>>> httpd_sys_content_t
>>>> httpd_sys_htaccess_t
>>>> httpd_sys_script_exec_t
>>>> httpd_sys_script_ra_t
>>>> httpd_sys_script_ro_t
>>>> httpd_sys_script_rw_t
>>>> httpd_unconfined_script_exec_t
>>>> ....
>>>>
>>>> May I ask, why do they set this way?
>>> Because users may choose to customize the labeling of their web
>>> hierarchy and we didn't want restorecon to clobber it. These days that
>>> isn't so necessary because users can use semanage fcontext -a to add
>>> entries for their customizations, and that is why customizable_types in
>>> F11 doesn't include those types.
>>>
>> But should http_user_{content,content_rw,script_exec}_t not be
>> customizable types though?
>>
>> Afaik unpriv users cannot use semanage fcontext. What if a unpriv user
>> tries to configure a custom apache homedir for example (~/mywww)
>>
>> Will that not be relabeled upon restorecon -R -v /home?
>
> Good question. Dan?
>
> Policy access control, if it ever reaches maturity and integration,
> could possibly allow unprivileged users to add semanage fcontext entries
> for their own home directory contents.
>
Dominick has a good point. I was thinking only in terms of administrators. I will fix in Rawhide.
svirt_image_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_content_ra_t
httpd_user_content_rw_t
httpd_user_content_t
More information about the fedora-selinux-list
mailing list