/var/www/html/
for a website, an administrator wants to use /srv/myweb/
. On Fedora 10, the /srv/
directory is labeled with the var_t
type. Files and directories created and /srv/
inherit this type. Also, newly-created top-level directories (such as /myserver/
) may be labeled with the default_t
type. SELinux prevents the Apache HTTP Server (httpd
) from accessing both of these types. To allow access, SELinux must know that the files in /srv/myweb/
are to be accessible to httpd
:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t \ "/srv/myweb(/.*)?"
semanage
command adds the context for the /srv/myweb/
directory (and all files and directories under it) to the SELinux file-context configuration[14]. The semanage
command does not change the context. As the Linux root user, run the restorecon
command to apply the changes:
# /sbin/restorecon -R -v /srv/myweb
matchpathcon
command checks the context of a file path and compares it to the default label for that path. The following example demonstrates using matchpathcon
on a directory that contains incorrectly labeled files:
$ /usr/sbin/matchpathcon -V /var/www/html/* /var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
index.html
and page1.html
files are labeled with the user_home_t
type. This type is used for files in user home directories. Using the mv
command to move files from your home directory may result in files being labeled with the user_home_t
type. This type should not exist outside of home directories. Use the restorecon
command to restore such files to their correct type:
# /sbin/restorecon -v /var/www/html/index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
-R
option:
# /sbin/restorecon -R -v /var/www/html/ restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
matchpathcon
.
[14]
Files in /etc/selinux/targeted/contexts/files/
define contexts for files and directories. Files in this directory are read by restorecon
and setfiles
to restore files and directories to their default contexts.