Hi,
On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts
After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. Applying the commands above re-enabled samba-access.
Anyone knows how I can configure selinux to remeber this after an update to the policies?
Thanks Patrick
On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote:
echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts
Next time try putting the local policy into: /etc/selinux/targeted/contexts/files/file_contexts.local ... which isn't overwritten by package updates. This is what would have happened if you had used the 'semanage fcontext' command.
Op 17-12-14 om 14:56 schreef Jonathan Billings:
On Wed, Dec 17, 2014 at 11:07:06AM +0100, Patrick Bervoets wrote:
echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contextsNext time try putting the local policy into: /etc/selinux/targeted/contexts/files/file_contexts.local ... which isn't overwritten by package updates. This is what would have happened if you had used the 'semanage fcontext' command.
Thank you, it even makes sense :-) Troubleshooting selinux is still on my skills-wishlist.
On 12/17/2014 05:07 AM, Patrick Bervoets wrote:
Hi,
On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts
This is incorrect.
# semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html
Should change the label and it should survive relabel.
After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied.
Applying the commands above re-enabled samba-access.
Anyone knows how I can configure selinux to remeber this after an update to the policies?
Thanks Patrick _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Op 17-12-14 om 15:12 schreef Daniel J Walsh:
On 12/17/2014 05:07 AM, Patrick Bervoets wrote:
Hi,
On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts
This is incorrect.
# semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html
Should change the label and it should survive relabel.
After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied.
Thanks, I know I shouldn't just follow serverfault instructions without complete understanding. One day I'll have to learn to master selinux. (and rtfm)
Patrick
-
Daniel J Walsh -
Jonathan Billings -
Patrick Bervoets