[CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?

Wed Dec 17 13:37:17 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Wed, December 17, 2014 05:07, Patrick Bervoets wrote:
> Hi,
>
> On an internal webserver (latest C6) I want smb-access to /var/www/html/
> In april I did
>      chcon -R -t public_content_rw_t /var/www/html/
>      setsebool -P allow_smbd_anon_write 1
>      setsebool -P allow_httpd_anon_write 1
>      echo "/var/www/html/  -- unconfined_u:object_r:public_content_rw_t:s0" >>
> /etc/selinux/targeted/contexts/files/file_contexts
>
> After the latest round of updates (including selinux-policy.noarch
> 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1)
> samba-access to /var/www/html was denied.
> Applying the commands above re-enabled samba-access.
>
> Anyone knows how I can configure selinux to remeber this after an update to
> the policies?
>
> Thanks
> Patrick
>
yum install policycoreutils-python
man audit2why
man audit2allow
man semodule

If you have setroubleshoot installed then the avc message in /var/log/messages
should tell you to run sealert with the requisite parameters.  Then follow the
instructions.

You will likely find it advisable to post your proposed custom se policy
changes here first and get feedback about anything that is too broadly
permissive.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3