/sbin/restorecon different in rhel and centos?

Support for security such as Firewalls and securing linux
Post Reply
Posts: 1
Joined: 2006/02/15 08:20:50

/sbin/restorecon different in rhel and centos?

Post by esjolund » 2006/02/15 09:00:21

/sbin/restorecon in Centos might be acting differently to /sbin/restorecon in RHEL. I have no
RHEL installation so maybe someone that has could check this.

A message on the fedora-selinux-list indicates this difference. At least it reveals a bug in Centos 4.2.

Could someone test this on an RHEL:

[root@e ~]# cat /etc/redhat-release
CentOS release 4.2 (Final)
[root@e ~]# sestatus -v | grep target
Policy from config file:targeted
[root@e ~]# echo "0 0" > /selinux/booleans/httpd_unified
[root@e ~]# echo "1" > /selinux/commit_pending_bools
[root@e ~]# sestatus -v |grep unif
httpd_unified inactive
[root@e ~]# adduser erik
[root@e ~]# su - erik
[erik@e ~]$ mkdir public_html
[erik@e ~]$ /sbin/restorecon public_html/
[erik@e ~]$ ls -lZd public_html/
drwxrwxr-x erik erik system_u:object_r:httpd_user_content_t public_html/
[erik@e ~]$ cd public_html/
[erik@e public_html]$ touch a.cgi
[erik@e public_html]$ chmod 755 a.cgi
[erik@e public_html]$ ls -lZ a.cgi
-rwxr-xr-x erik erik user_u:object_r:httpd_sys_content_t a.cgi
[erik@e public_html]$ chcon user_u:object_r:httpd_user_script_exec_t a.cgi
[erik@e public_html]$ ls -lZ a.cgi
-rwxr-xr-x erik erik user_u:object_r:httpd_user_script_exec_t a.cgi
[erik@e public_html]$ /sbin/restorecon a.cgi
[erik@e public_html]$ ls -lZ a.cgi
-rwxr-xr-x erik erik system_u:object_r:httpd_user_content_t a.cgi

The interesting result is if the last "ls -lZ a.cgi" shows that httpd_user_script_exec_t was set back to httpd_user_content_t or not.
Setting it back indicates a bug.

Erik Sjölund

Post Reply

Return to “CentOS 4 - Security Support”