4

I created a new folder at /modevasive to hold my mod_evasive scripts and for the Log Directory. I'm trying to change the context type to httpd_sys_content_t so Apache can write to the folder. I did semanage fcontext -a -t "httpd_sys_content_t" /modevasive to change the context and then restorecon -v /modevasive to enable the change, but restorecon didn't do anything. So I used chcon to change it manually, did the restorecon to see what would happen and it changed it back to default_t.

semanage fcontext -l gives: 

/modevasive/          all files          system_u:object_r:httpd_sys_content_t:s0`

And looking at /etc/selinux/targeted/contexts/files/file_contexts.local gives

 /modevasive/    system_u:object_r:httpd_sys_content_t:s0

So why does restorecon keep setting it back to default_t?

Safado
  • 4,786
  • 7
  • 37
  • 54
  • FWIW I can't get this to happen, for me it works as expected. What does `matchpathcon /modevasive` say ? – user9517 Nov 08 '13 at 20:40
  • /modevasive system_u:object_r:default_t:s0 – Safado Nov 08 '13 at 21:03
  • That explains why it's being reset to default_t by restorecon, hopefully @michaelhampton will cruise by and explain why there is a difference soon. – user9517 Nov 08 '13 at 21:47

1 Answers1

5

Well, I reached out to RedHat support and this was the answer I got.

He had me do the same steps, except for in the first semanage command, he has me do "/modevasive(/.*)?" instead of just "/modevasive". I haven't got an explanation why, but that solved the problem for me.

Safado
  • 4,786
  • 7
  • 37
  • 54
  • 3
    The pattern given is not a directory, but a regex match for a pathname. So `/modevasive` would never match anything. – Michael Hampton Nov 09 '13 at 04:13
  • When you use the restorecon command you need to put a slash and asterisk after the directory name to effect the files within it. I had to do `restorecon -v /mydir` to effect the directory and `restorecon -v /mydir/*` to effect its contents (not sure if that's recursive though). – BuvinJ Jun 03 '16 at 14:58