restorecon does not set fcontexts as before and defined fcontext does not apply to newly created files

Support for security such as Firewalls and securing linux
Post Reply
seva
Posts: 1
Joined: 2020/05/09 12:58:57

restorecon does not set fcontexts as before and defined fcontext does not apply to newly created files

Post by seva » 2020/05/09 14:45:58

Hello everyone,

Sometimes I need to configure fcontexts for *wp-content/cache* as writable by the web server, which should apply for existing files/directories, and for those which will be created in the future.
I've configured such thing a couple of times, with CentOS release 6.9 (Final) and CentOS Linux 7 and there was no problem with it.

But now I have stuck witch a situation that was never been an issue before.

cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

# semanage fcontext -l | grep ^/storage/wwwroot
/storage/wwwroot all files system_u:object_r:httpd_sys_content_t:s0
/storage/wwwroot(/.*)?/wp-content/cache(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
/storage/wwwroot(/.*)?wp-content/cache all files system_u:object_r:httpd_sys_rw_content_t:s0
, and, plus, semanage fcontext -a -t httpd_sys_content_t '/storage/wwwroot(/.*)?'

At the top level of /storage/wwwroot directory, this configuration works just fine:

wwwroot]# mkdir -p wp-content/cache
wwwroot]# touch wp-content/cache/test.html
wwwroot]# ls -Z wp-content/cache/test.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-content/cache/test.html

But if I move on to the deeper level in directory hierarhy, fcontext does not apply like before:

wwwroot]# cd test
test]# mkdir -p wp-content/cache
test]# touch wp-content/cache/test.html
test]# ls -Z wp-content/cache/test.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 wp-content/cache/test.html
ls -Z test/wp-content/cache/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.html
wwwroot]# restorecon -Rv test/wp-content/cache/test.html
wwwroot]# ls -Z test/wp-content/cache/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.html

Well, I was hoping at least to get something with restorecon command, but the file and the directory are created with httpd_sys_content_t , not httpd_sys_rw_content_t, and restorecon command actually does not changes that:

restorecon -Rv test/wp-content/cache/
restorecon reset /storage/wwwroot/test/wp-content/cache context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
wwwroot]# ls -Z test/wp-content/cache/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.html
wwwroot]# restorecon -Rv test/wp-content/cache/test.html
wwwroot]# ls -Z test/wp-content/cache/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.html

If I even change fcontext with chcon command, restorecon restores httpd_sys_content_t fcontext , not httpd_sys_rw_content_t , as I expected after reading viewtopic.php?t=57148

wwwroot]# chcon -v -R -t httpd_sys_rw_content_t test/wp-content/cache/
changing security context of ‘test/wp-content/cache/test.html’
changing security context of ‘test/wp-content/cache/’
wwwroot]# ls -Z test/wp-content/cache/test.html
-rw-r--r--. root root system_u:object_r:httpd_sys_rw_content_t:s0 test/wp-content/cache/test.html
wwwroot]# ls -Zd test/wp-content/cache/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 test/wp-content/cache/
wwwroot]# restorecon -Rv test/wp-content/cache/
restorecon reset /storage/wwwroot/test/wp-content/cache/test.html context system_u:object_r:httpd_sys_rw_content_t:s0->system_u:object_r:httpd_sys_content_t:s0

So, the question is, what should I do in order to fix this?

User avatar
TrevorH
Forum Moderator
Posts: 29943
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: restorecon does not set fcontexts as before and defined fcontext does not apply to newly created files

Post by TrevorH » 2020/05/09 16:12:28

CentOS Linux release 7.6.1810 (Core)
You're more than 18 months and two whole point releases out of date. Current is 7.8 and is only a yum update away.

What does matchpathcon /storage/wwwroot/test/wp-content/cache/test.html say?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”