[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Question on semanage fcontext -a
- From: Stephen Smalley <sds tycho nsa gov>
- To: Paul Howarth <paul city-fan org>
- Cc: Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
- Subject: Re: Question on semanage fcontext -a
- Date: Mon, 17 Mar 2008 08:07:03 -0400
On Mon, 2008-03-17 at 11:31 +0000, Paul Howarth wrote:
> ttaylor wrote:
> > Does anything special have to be done to cause SELinux to start using newly
> > added local filecontexts? What I'm finding is that if I use semanage
> > fcontext -a to add a local filecontext definition, it is not used by
> > restorecon unless I specify the "-F" option. Without the "-F" option,
> > restorecon -vv <file_path> gives the following message:
> >
> > /sbin/restorecon: <file_path> not reset customized by admin to
> > <current_context>
> >
> > but restorecon -vv -F <file_path> gives this:
> >
> > /sbin/restorecon reset <file_path> context <current_context>-><new_context>
>
> This is probably because <current_context> is a customizable type like
> httpd_sys_content_t; objects with these types don't get reset by
> restorecon unless you use -F. I'm not sure how to find out which types
> are customizable off the top of my head though.
cat /etc/selinux/$SELINUXTYPE/contexts/customizable_types
Dan - I thought we had discussed reducing that set significantly since
it was originally to avoid clobbering locally-set types upon a
filesystem relabel prior to the introduction of semanage, but with users
now able to add local file contexts easily via semanage fcontext -a, it
isn't as necessary.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]