Had a strange behavior of SELinux some days ago and started to have a closer look at it today. If i create a new file or directory it sets the wrong user context.
Had it on two servers i have tested, and then deployed a base install from my template within VMware, where i had the same behavior.
Maybe better to provide an example how to reproduce it.
My System:
CentOS 6.6
Code: Select all
# rpm -qa | grep selinux
libselinux-ruby-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
libselinux-2.0.94-5.8.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
libselinux-utils-2.0.94-5.8.el6.x86_64
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Go to a directory with known context set file_contexts, in my case /var/spool/mail/
Context: /var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0
Create a file:
Code: Select all
# touch newfile
# ls -lZ newfile
-rw-r--r--. root root unconfined_u:object_r:mail_spool_t:s0 newfile
Compare the current context with the default one it should have:
Code: Select all
# matchpathcon -V newfile
newfile has context unconfined_u:object_r:mail_spool_t:s0, should be <<none>>
Restore the context of the file:
Code: Select all
# restorecon -v newfile
# ls -lZ newfile
-rw-r--r--. root root unconfined_u:object_r:mail_spool_t:s0 newfile
Force the restore of the context:
Code: Select all
# restorecon -v -F newfile
restorecon reset /var/spool/mail/newfile context unconfined_u:object_r:mail_spool_t:s0->system_u:object_r:mail_spool_t:s0
# ls -lZ newfile
-rw-r--r--. root root system_u:object_r:mail_spool_t:s0 newfile
Content of "/etc/selinux/targeted/contexts/customizable_types":
Code: Select all
sandbox_file_t
svirt_image_t
svirt_sandbox_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_content_ra_t
httpd_user_content_rw_t
httpd_user_content_t
git_session_content_t
home_bin_t
If i change the user and type context to something wrong, it restores the type, but not the user context (without forcing it):
Code: Select all
# chcon -u unconfined_u -t admin_home_t newfile
# restorecon -v newfile
restorecon reset /var/spool/mail/newfile context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:mail_spool_t:s0
Thanks,
Urs