SELinux - first attempt to restrict file by type - fails to fail

Question

I have a Centos 6 Linux box. I read tutorials on SELinux and wanted to try it out. Here are steps I followed,

set SELINUX=enforcing in /etc/selinux/config
turned on SELINUX with setenforce 1
service httpd restart
changed type on a php script file.

from httpd_sys_content_t to something else eg: init_t (maybe this is not suitable type to test with?)

chcon -t init_t /var/www/html/index.php

I hoped to get an error when I browsed to this file with web browser, but alas I was still able to see contents.

What was the SELinux configuration before you changed it to `enforcing`? — dawud, Mar 30 '15 at 13:14
Relabel the whole system (`restorecon -r -v /`), reboot, and try again. — Michael Hampton, Mar 30 '15 at 18:01

score 0 · Answer 1 · answered Mar 31 '15 at 11:45

There is no need to relabel the whole system (this would be done with touch /.autorelabel; reboot instead of restorecon). Relabeling of /var/www/html using restorecon -Fr /var/www/html should be enough, then run your test again, assuming that yo did not change the file context of this directory using semanage.

SELinux - first attempt to restrict file by type - fails to fail

1 Answers1