Hi,
Could you explain me, please, the behavior of the restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/www/phpbb/files(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed context on two directories and files in them.
Only if I specify -F (force) I relabel everything. I can't quite grasp why sometimes I don't have to supply -F and sometimes I do.
Thank you.
Sincerely yours, Vadym Chepkov
On Wed, 2009-07-22 at 11:06 -0700, Vadym Chepkov wrote:
Hi,
Could you explain me, please, the behavior of the restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/www/phpbb/files(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed context on two directories and files in them.
Only if I specify -F (force) I relabel everything. I can't quite grasp why sometimes I don't have to supply -F and sometimes I do.
Not completely sure but i think it may have to do with customizable types. Customizable types are types that should not be relabeled.
This can be overridden with the -F (force) option.
Again i am not quite sure if this is the case here because in my system the httpd_sys_content_t type is not added to the customizable_types files.
less /etc/selinux/targeted/contexts/custom*
If i am wrong i hope someone will correct me.
Thank you.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Sincerely yours, Vadym Chepkov
--- On Wed, 7/22/09, Dominick Grift domg472@gmail.com wrote:
From: Dominick Grift domg472@gmail.com Subject: Re: restorecon question To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Wednesday, July 22, 2009, 2:33 PM On Wed, 2009-07-22 at 11:06 -0700, Vadym Chepkov wrote:
Hi,
Could you explain me, please, the behavior of the
restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/www/phpbb/files(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/www/phpbb/files(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed
context on two directories and files in them.
Only if I specify -F (force) I relabel everything. I can't quite grasp why sometimes I don't have to
supply -F and sometimes I do.
Not completely sure but i think it may have to do with customizable types. Customizable types are types that should not be relabeled.
This can be overridden with the -F (force) option.
Again i am not quite sure if this is the case here because in my system the httpd_sys_content_t type is not added to the customizable_types files.
less /etc/selinux/targeted/contexts/custom*
If i am wrong i hope someone will correct me.
Thank you.
Sincerely yours, Vadym Chepkov
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Because users may choose to customize the labeling of their web hierarchy and we didn't want restorecon to clobber it. These days that isn't so necessary because users can use semanage fcontext -a to add entries for their customizations, and that is why customizable_types in F11 doesn't include those types.
On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Because users may choose to customize the labeling of their web hierarchy and we didn't want restorecon to clobber it. These days that isn't so necessary because users can use semanage fcontext -a to add entries for their customizations, and that is why customizable_types in F11 doesn't include those types.
But should http_user_{content,content_rw,script_exec}_t not be customizable types though?
Afaik unpriv users cannot use semanage fcontext. What if a unpriv user tries to configure a custom apache homedir for example (~/mywww)
Will that not be relabeled upon restorecon -R -v /home?
On Wed, 2009-07-22 at 22:19 +0200, Dominick Grift wrote:
On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Because users may choose to customize the labeling of their web hierarchy and we didn't want restorecon to clobber it. These days that isn't so necessary because users can use semanage fcontext -a to add entries for their customizations, and that is why customizable_types in F11 doesn't include those types.
But should http_user_{content,content_rw,script_exec}_t not be customizable types though?
Afaik unpriv users cannot use semanage fcontext. What if a unpriv user tries to configure a custom apache homedir for example (~/mywww)
Will that not be relabeled upon restorecon -R -v /home?
Good question. Dan?
Policy access control, if it ever reaches maturity and integration, could possibly allow unprivileged users to add semanage fcontext entries for their own home directory contents.
On 07/23/2009 10:43 AM, Stephen Smalley wrote:
On Wed, 2009-07-22 at 22:19 +0200, Dominick Grift wrote:
On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
.... httpd_sys_content_t httpd_sys_htaccess_t httpd_sys_script_exec_t httpd_sys_script_ra_t httpd_sys_script_ro_t httpd_sys_script_rw_t httpd_unconfined_script_exec_t ....
May I ask, why do they set this way?
Because users may choose to customize the labeling of their web hierarchy and we didn't want restorecon to clobber it. These days that isn't so necessary because users can use semanage fcontext -a to add entries for their customizations, and that is why customizable_types in F11 doesn't include those types.
But should http_user_{content,content_rw,script_exec}_t not be customizable types though?
Afaik unpriv users cannot use semanage fcontext. What if a unpriv user tries to configure a custom apache homedir for example (~/mywww)
Will that not be relabeled upon restorecon -R -v /home?
Good question. Dan?
Policy access control, if it ever reaches maturity and integration, could possibly allow unprivileged users to add semanage fcontext entries for their own home directory contents.
Dominick has a good point. I was thinking only in terms of administrators. I will fix in Rawhide.
svirt_image_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_content_ra_t httpd_user_content_rw_t httpd_user_content_t
On Wed, 2009-07-22 at 11:06 -0700, Vadym Chepkov wrote:
Hi,
Could you explain me, please, the behavior of the restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0 /var/www/phpbb/files(/.*)? all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed context on two directories and files in them.
What was the context before? Was the only difference the 'user' portion? I don't think restorecon bothers to reset the context if the only thing 'wrong' is the user, since the user is not relevant to any security operations....
No, it was httpd_sys_content_t
Sincerely yours, Vadym Chepkov
--- On Wed, 7/22/09, Eric Paris eparis@redhat.com wrote:
From: Eric Paris eparis@redhat.com Subject: Re: restorecon question To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Wednesday, July 22, 2009, 3:12 PM On Wed, 2009-07-22 at 11:06 -0700, Vadym Chepkov wrote:
Hi,
Could you explain me, please, the behavior of the
restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/www/phpbb/files(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/www/phpbb/files(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed
context on two directories and files in them.
What was the context before? Was the only difference the 'user' portion? I don't think restorecon bothers to reset the context if the only thing 'wrong' is the user, since the user is not relevant to any security operations....
On 07/22/2009 03:50 PM, Vadym Chepkov wrote:
No, it was httpd_sys_content_t
Sincerely yours, Vadym Chepkov
--- On Wed, 7/22/09, Eric Paris eparis@redhat.com wrote:
From: Eric Paris eparis@redhat.com Subject: Re: restorecon question To: "Vadym Chepkov" chepkov@yahoo.com Cc: "Fedora SELinux" fedora-selinux-list@redhat.com Date: Wednesday, July 22, 2009, 3:12 PM On Wed, 2009-07-22 at 11:06 -0700, Vadym Chepkov wrote:
Hi,
Could you explain me, please, the behavior of the
restorecon utility.
I added the following in the local.fc file
# phpbb /var/www/phpbb/cache(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
/var/www/phpbb/files(/.*)?
gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
compiled and installed policy, seems to be in place.
# semanage fcontext -l|grep phpbb /var/www/phpbb/cache(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
/var/www/phpbb/files(/.*)?
all files system_u:object_r:httpd_sys_script_rw_t:s0
But when now I run restorecon -vR /var/www/phpbb/ it doesn't do anything. I would expect it to changed
context on two directories and files in them.
What was the context before? Was the only difference the 'user' portion? I don't think restorecon bothers to reset the context if the only thing 'wrong' is the user, since the user is not relevant to any security operations....
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
customizable_types was the problem. You need to use the -F to override customizable_types.
selinux@lists.fedoraproject.org