Change selinux context for TLS cacert.pem

selinux

I need to make /etc/pki/CA/certs/cacert.pem have the same context as all the other files in /etc/pki:
system_u:object_r:cert_t:s0

Tried restorecon -vR /etc/pki and semanage fcontext but the file remains in the unconfined_u:object_r:cert_t:s0 context.

Best Answer

Quick fix

Since your other files are fine, select a specific one for this command:

chcon --reference /etc/pki/CA/certs/validcontextcert.pem /etc/pki/CA/certs/cacert.pem

Longer term fix

You can make a context in SELinux for your file so that it is persistent across context restores.

semanage fcontext -a -u system_u -r object_r -t cert_t '/etc/pki/CA/certs/cacert.pem'

This will make a new context definition that is not yet applied so apply it.

restorecon -RvF /etc/pki

Related Solutions

How to Assign SELinux Label to Symlink with Semanage for Persistent Relabel

I figured it out:

semanage has an option -f which allows you to specify a file type as shown in the mode field by ls (d for directories, -- for regular files, l for links). When -f -l is used, the link itself is targeted.

[root@localhost var]# semanage fcontext -f -l -a -t httpd_sys_content_t /var/www
[root@localhost var]# restorecon -Rv .
restorecon reset /var/www context system_u:object_r:var_t:s0->system_u:object_r:httpd_sys_content_t:s0

See the semanage-fcontext man page.

Can’t make SELinux context types permanent with semanage

Well, I reached out to RedHat support and this was the answer I got.

He had me do the same steps, except for in the first semanage command, he has me do "/modevasive(/.*)?" instead of just "/modevasive". I haven't got an explanation why, but that solved the problem for me.