Re: Propper labeling of files under /var/www

On Wed, 2007-12-19 at 09:12 -0500, Stephen Smalley wrote:
> On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
> > On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
> > [...]
> > > Try restorecon -FRv /var/www
> >
> > Yeah that solved the problem. The -F option is a little bit tricky ;-)
> > Never expected something like that.
>
> /etc/selinux/targeted/contexts/customizable_types was created to allow
> programs like restorecon to omit files with certain types from being
> relabeled by default, so that admin customizations wouldn't be lost.
> The httpd-related types are a common case of this, where the admin wants
> to manually manage the type under the web root and not have them
> clobbered. As to whether it still makes sense when we have semanage
> fcontext, I'm not sure.

I think at least from an user point of view it is misleading. I just wanted to create a policy for some CGI/PHP webserver stuff which I could role out to my clients. And if a client runs into some trouble, gets some AVC messages etc., he just uses "fixfiles relabel" or even "touch /.autorelabel && reboot". I think that's the normal behavior of a non SELinux hacker.

So in the end removing it (or just ship an empty customizable_types file like you pointed out) would be a good thing.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: This is a digitally signed message part