From: Stefan Schulze Frielinghaus <stefan@seekline.net>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, Daniel J Walsh <dwalsh@redhat.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>
Subject: Re: Propper labeling of files under /var/www
Date: Thu, 20 Dec 2007 08:43:51 +0000 [thread overview]
Message-ID: <1198140231.3248.7.camel@localhost6.localdomain6> (raw)
In-Reply-To: <1198073575.19081.1.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]
On Wed, 2007-12-19 at 09:12 -0500, Stephen Smalley wrote:
> On Wed, 2007-12-19 at 10:13 +0000, Stefan Schulze Frielinghaus wrote:
> > On Tue, 2007-12-18 at 13:55 -0500, Stephen Smalley wrote:
> > [...]
> > > Try restorecon -FRv /var/www
> >
> > Yeah that solved the problem. The -F option is a little bit tricky ;-)
> > Never expected something like that.
>
> /etc/selinux/targeted/contexts/customizable_types was created to allow
> programs like restorecon to omit files with certain types from being
> relabeled by default, so that admin customizations wouldn't be lost.
> The httpd-related types are a common case of this, where the admin wants
> to manually manage the type under the web root and not have them
> clobbered. As to whether it still makes sense when we have semanage
> fcontext, I'm not sure.
I think at least from an user point of view it is misleading. I just
wanted to create a policy for some CGI/PHP webserver stuff which I could
role out to my clients. And if a client runs into some trouble, gets
some AVC messages etc., he just uses "fixfiles relabel" or even
"touch /.autorelabel && reboot". I think that's the normal behavior of a
non SELinux hacker.
So in the end removing it (or just ship an empty customizable_types file
like you pointed out) would be a good thing.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2007-12-20 8:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-18 18:45 Propper labeling of files under /var/www Stefan Schulze Frielinghaus
2007-12-18 18:55 ` Stephen Smalley
2007-12-19 10:13 ` Stefan Schulze Frielinghaus
2007-12-19 14:12 ` Stephen Smalley
2007-12-19 15:05 ` Daniel J Walsh
2007-12-19 15:29 ` Stephen Smalley
2007-12-20 8:43 ` Stefan Schulze Frielinghaus [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1198140231.3248.7.camel@localhost6.localdomain6 \
--to=stefan@seekline.net \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.