Patrick Bervoets
2014-Dec-17  10:07 UTC
[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Hi,
On an internal webserver (latest C6) I want smb-access to /var/www/html/
In april I did
     chcon -R -t public_content_rw_t /var/www/html/
     setsebool -P allow_smbd_anon_write 1
     setsebool -P allow_httpd_anon_write 1
     echo "/var/www/html/  --
unconfined_u:object_r:public_content_rw_t:s0" >>
/etc/selinux/targeted/contexts/files/file_contexts
After the latest round of updates (including selinux-policy.noarch
0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1)
samba-access to /var/www/html was denied.
Applying the commands above re-enabled samba-access.
Anyone knows how I can configure selinux to remeber this after an update to the
policies?
Thanks
Patrick
Jonathan Billings
2014-Dec-17  13:56 UTC
[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote:> echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contextsNext time try putting the local policy into: /etc/selinux/targeted/contexts/files/file_contexts.local ... which isn't overwritten by package updates. This is what would have happened if you had used the 'semanage fcontext' command. -- Jonathan Billings <billings at negate.org>
Daniel J Walsh
2014-Dec-17  14:12 UTC
[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On 12/17/2014 05:07 AM, Patrick Bervoets wrote:> Hi, > > On an internal webserver (latest C6) I want smb-access to /var/www/html/ > In april I did > chcon -R -t public_content_rw_t /var/www/html/ > setsebool -P allow_smbd_anon_write 1 > setsebool -P allow_httpd_anon_write 1 > echo "/var/www/html/ -- > unconfined_u:object_r:public_content_rw_t:s0" >> > /etc/selinux/targeted/contexts/files/file_contexts >This is incorrect. # semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html Should change the label and it should survive relabel. After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied.> Applying the commands above re-enabled samba-access. > > Anyone knows how I can configure selinux to remeber this after an > update to the policies? > > Thanks > Patrick > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Patrick Bervoets
2014-Dec-17  14:52 UTC
[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Op 17-12-14 om 14:56 schreef Jonathan Billings:> On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote: >> echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts > Next time try putting the local policy into: > /etc/selinux/targeted/contexts/files/file_contexts.local > ... which isn't overwritten by package updates. This is what would > have happened if you had used the 'semanage fcontext' command. >Thank you, it even makes sense :-) Troubleshooting selinux is still on my skills-wishlist.
Patrick Bervoets
2014-Dec-17  15:04 UTC
[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
Op 17-12-14 om 15:12 schreef Daniel J Walsh:> On 12/17/2014 05:07 AM, Patrick Bervoets wrote: >> Hi, >> >> On an internal webserver (latest C6) I want smb-access to /var/www/html/ >> In april I did >> chcon -R -t public_content_rw_t /var/www/html/ >> setsebool -P allow_smbd_anon_write 1 >> setsebool -P allow_httpd_anon_write 1 >> echo "/var/www/html/ -- >> unconfined_u:object_r:public_content_rw_t:s0" >> >> /etc/selinux/targeted/contexts/files/file_contexts >> > This is incorrect. > > # semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' > # restorecon -R -v /var/www/html > > Should change the label and it should survive relabel. > > After the latest round of updates (including selinux-policy.noarch > 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch > 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. >Thanks, I know I shouldn't just follow serverfault instructions without complete understanding. One day I'll have to learn to master selinux. (and rtfm) Patrick
Apparently Analagous Threads
- selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
- selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
- selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
- SELinux and SETroubleshootd woes in CR
- [PATCH v2] v2v: Fix invalid regexp in file_contexts file