Fedora Linux

assigned to the file. In the output above, the aliases file has been given the file type etc_aliases_t (which is unique to that file), indicating that the SELinux policy treats that file specially.  

All file types end in _t for easy identification.

Files contained in your home directory are usually given the type user_home_t . The default policy will not permit web pages in ~/public_html to be accessed through the web server, even if the httpd_enable_homedirs boolean is turned on, unless the files being shared have the type httpd_sys_content_t . To change file contexts, use the chcon command:

$ chcon -R -t httpd_sys_content_t ~/public_html

The -R option causes chcon to recursively change the context of directories within ~/public_html , and -t httpd_sys_content_t sets the file type.

The file context types most commonly used with chcon are shown in Table 8-2 .

Table 8-2. Common nondefault file context types

Type	Description	Examples
httpd_sys_content_t	Files that may be served by httpd	Web pages, graphics, CSS files, client-side ECMAScript/JavaScript
httpd_sys_script_exec_t	CGI scripts that may be executed by httpd	Web scripts written in any external scripting language (e.g., scripts written in Perl when you are not using mod_perl)
httpd_unconfined_script_exec_t	CGI scripts that will not be constrained by SELinux	Dangerous!but may be required for some complex CGI scripts
httpd_sys_script_ro_t	Datafiles that may be read (but not written) by CGI scripts	Static CGI script datafiles
httpd_sys_script_ra_t	Datafiles that may be read and appended (but not overwritten or truncated) by CGI scripts	Script logfiles, guestbooks, nonrevisable order queues, survey and quiz records
httpd_sys_script_rw_t	Datafiles that may be read/written by CGI scripts	User profiles, session status, and other CGI datafiles
samba_share_t	Enables sharing of the file by Samba (not required for home directories)	Group Samba shares
public_content_t	Enables sharing of the file (read only) by Samba, httpd, NFS, and rsync	Files shared by multiple servers
public_content_rw_t	Enables sharing of the file (read/write) by Samba, httpd, FTP, and rsync	Files shared and updatable through multiple servers

A file label that has been changed manually may be changed back to the default value during a relabeling (discussed in the next section). 

For example, if you have created the /var/samba directory and are using it for Samba group shares, it will need to be labeled with the type samba_share_t :

# chcon -R -t samba_share_t /var/samba

To make that the default context label for /var/samba , edit /etc/selinux/targeted/contexts/files/file_contexts.local to contain this line:

/var/samba(/.*)? system_u:object_r:samba_share_t

The first field contains a regular expression specifying that this entry will match any filename starting with /var/samba . The context label in the second field (which must include the system_u:object_r: portion) configures the default label for files that match the regular expression.

8.2.1.4. Relabeling the system

Some caution is in order: you may end up with a system where many file labels are wrong if you update your SELinux policy, mount your filesystems without SELinux support enabled (perhaps during rescue mode), or go wild with chcon . To relabel your system, you should create the empty file /.autorelabel and then boot the system:

# touch /.autorelabel
# shutdown -r now