SElinux doesn't work as should be ?

Latest response

Hello,

I have a problem w SElinux, my contexts dont't want to be set. I take some example from RedHat documentation and check:

~~
[root@localhost /]# mkdir /web
[root@proton html]# ls -lZ
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 3
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 4
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test1
[root@localhost web]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
~~
And now:
~~
[root@localhost web]# restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/1 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/2 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/3 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/4 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/5 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/test context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/test1 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/test2 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/test3 context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
[root@localhost web]# ls -lZ
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 1
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 2
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 3
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 4
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 5
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test1
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test2
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 test3
~~
Heh, it doesn't work !
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html

On RedHat site works like a charm but why ? Where is and why i dont get system_u ? I have a still unconfined.
Someone can explain to me ?
Thanks,

MB
Log in to join the conversation

Responses

Ryan Sawhill's picture Red Hat Guru 3719 points
16 May 2016 4:24 PM

Hi Michał. There's nothing wrong with the output you shared. That's normal and expected when the root user does the restorecon. Keep in mind with the default targeted policy we only do type enforcement anyway -- so only the 3rd part (httpd_sys_content_t) matters.

That said, if it really bothers you that much, you can fix it for now with chcon -R -u system_u or by doing a full system relabel, i.e.: touch /.autorelabel; reboot. I would however encourage you to simply let it go. :)

MB Community Member 47 points
18 May 2016 4:58 AM

Thank you for explanation. I'm satisfied now.

Ryan Sawhill's picture Red Hat Guru 3719 points
18 May 2016 1:29 PM

You're most welcome Michał. Glad I could help.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.