restorecon question
Stephen Smalley
sds at tycho.nsa.gov
Thu Jul 23 14:43:39 UTC 2009
On Wed, 2009-07-22 at 22:19 +0200, Dominick Grift wrote:
> On Wed, 2009-07-22 at 16:05 -0400, Stephen Smalley wrote:
> > On Wed, 2009-07-22 at 12:57 -0700, Vadym Chepkov wrote:
> > > You are right, these types are listed in /etc/selinux/targeted/contexts/customizable_types:
> > >
> > > ....
> > > httpd_sys_content_t
> > > httpd_sys_htaccess_t
> > > httpd_sys_script_exec_t
> > > httpd_sys_script_ra_t
> > > httpd_sys_script_ro_t
> > > httpd_sys_script_rw_t
> > > httpd_unconfined_script_exec_t
> > > ....
> > >
> > > May I ask, why do they set this way?
> >
> > Because users may choose to customize the labeling of their web
> > hierarchy and we didn't want restorecon to clobber it. These days that
> > isn't so necessary because users can use semanage fcontext -a to add
> > entries for their customizations, and that is why customizable_types in
> > F11 doesn't include those types.
> >
>
> But should http_user_{content,content_rw,script_exec}_t not be
> customizable types though?
>
> Afaik unpriv users cannot use semanage fcontext. What if a unpriv user
> tries to configure a custom apache homedir for example (~/mywww)
>
> Will that not be relabeled upon restorecon -R -v /home?
Good question. Dan?
Policy access control, if it ever reaches maturity and integration,
could possibly allow unprivileged users to add semanage fcontext entries
for their own home directory contents.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list