How do I assign an SELinux label to a symlink with semanage so it persists after a relabel?
I figured it out:
semanage has an option -f which allows you to specify a file type as shown in the mode field by ls (d for directories, -- for regular files, l for links).
When -f -l is used, the link itself is targeted.
[root@localhost var]# semanage fcontext -f -l -a -t httpd_sys_content_t /var/www
[root@localhost var]# restorecon -Rv .
restorecon reset /var/www context system_u:object_r:var_t:s0->system_u:object_r:httpd_sys_content_t:s0
See the semanage-fcontext man page.
Related videos on Youtube
08 : 19
05 : 28
04 : 39
04 : 29
02 : 00
TiorMoracus
I have quite a collection of hats, and wear most of them professionally on a daily basis. Software engineer, electrical engineer, systems administrator, graphic designer, scientist, product designer, and more. I work for a think tank / R&D company in Southern California.
Updated on September 17, 2022Comments
-
TiorMoracus almost 2 years
My apache DocumentRoot /var/www is a symbolic link to another path. The target has the appropriate file context label (httpd_sys_content_t) so that apache can read it with SELinux enabled. However, the symbolic link itself is labeled with var_t.
[root@localhost var]# ls -lZ lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0 www -> /srv/wwwI need to relabel the symbolic link with httpd_sys_content_t.
Running chcon with the -h option initially seems to work:
[root@localhost var]# chcon -h -t httpd_sys_content_t /var/www [root@localhost var]# ls -lZ lrwxrwxrwx. root root unconfined_u:object_r:httpd_sys_content_t:s0 www -> /srv/wwwHowever this does not survive a relabel:
[root@localhost var]# restorecon -Rv . restorecon reset /var/www context system_u:object_r:httpd_sys_content_t:s0->syst em_u:object_r:var_t:s0Using semanage does not relabel the link itself; just the target:
[root@localhost var]# semanage fcontext -a -t httpd_sys_content_t /var/www [root@localhost var]# restorecon -Rv . [root@localhost var]# ls -lZ lrwxrwxrwx. root root unconfined_u:object_r:var_t:s0 www -> /srv/wwwsemanage does not have the -h option.
How can I get semanage to set the label of the link itself so it remains as httpd_sys_content_t after a relabel?
-
Admin about 12 yearsWow, I got the Popular Question badge for this one, and no votes?
-
-
user9517 over 8 yearsThis answer correctly uses
-f -las that is the syntax that was in effect when it was written. Later versions of semanage (EL7) use-f l.
