SELinux, contexts, restorecon, chcon - Security

This is a discussion on SELinux, contexts, restorecon, chcon - Security ; I wonder if someone can give me some pointers regarding the following problem: I am running RHEL4 x86_64 on a Quad Opteron HW. I have the following in /etc/selinux/targeted/contexts/files/file_contexts: /etc/httpd -d system_u bject_r:httpd_config_t /etc/httpd/conf.* system_u bject_r:httpd_config_t Yet, after I created ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: SELinux, contexts, restorecon, chcon

  1. SELinux, contexts, restorecon, chcon

    I wonder if someone can give me some pointers regarding the following problem:

    I am running RHEL4 x86_64 on a Quad Opteron HW.

    I have the following in
    /etc/selinux/targeted/contexts/files/file_contexts:

    /etc/httpd -d system_ubject_r:httpd_config_t
    /etc/httpd/conf.* system_ubject_r:httpd_config_t

    Yet, after I created '/etc/httpd/conf/ssl' and some subdirectories thereof and they were
    assigned user 'root:', running 'restorecon -R -v /etc/httpd/conf' does not restore the correct
    user 'system_u:'. I actually have to do 'chcon' to force the user attributes.

    WHY?

    Thanks









  2. Re: SELinux, contexts, restorecon, chcon

    On Wed, 28 Dec 2005 09:45:11 -0500 (EST), FEEB wrote:

    >I wonder if someone can give me some pointers regarding the following problem:
    >
    >I am running RHEL4 x86_64 on a Quad Opteron HW.
    >
    >I have the following in
    >/etc/selinux/targeted/contexts/files/file_contexts:
    >
    >/etc/httpd -d system_ubject_r:httpd_config_t
    >/etc/httpd/conf.* system_ubject_r:httpd_config_t
    >
    >Yet, after I created '/etc/httpd/conf/ssl' and some subdirectories thereof and they were
    >assigned user 'root:', running 'restorecon -R -v /etc/httpd/conf' does not restore the correct
    >user 'system_u:'. I actually have to do 'chcon' to force the user attributes.
    >
    >WHY?



    Just for the record:

    one has to use 'restorecon -R -F -v' to change the user attributes. Option '-F' is not
    documented in man pages.









+ Reply to Thread