I am using RHEL 6.3 and I experiment a strange behavior with matchpathcon and restorecon SELinux commands. For a specific file, I have defined a context with semanage fcontext. Then, matchpathcon tells me that the file should have the context I defined but restorecon make the file have an other context. I can't understand the behavior and I think there is something I do wrong.
Here is an example to reproduce this behavior (I am a root user):
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
I would create a specific init.d script to launch an HTTPD daemon.
$ touch /etc/init.d/my-httpd
$ ls -Z /etc/init.d/my-httpd
-rw-------. root root unconfined_u:object_r:etc_t:s0 /etc/init.d/my-httpd
So, I create the context for this file and I check it has been saved.
$ semanage fcontext -a -t httpd_initrc_exec_t /etc/init.d/my-httpd
$ semanage fcontext -C -l
contexte fichier SELinux type Contexte
/etc/init.d/my-httpd all files system_u:object_r:httpd_initrc_exec_t:s0
matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd has context unconfined_u:object_r:etc_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0
Then, I try to restore the context to what matchpathcon told me.
restorecon -v /etc/init.d/my-httpd
restorecon reset /etc/rc.d/init.d/my-httpd context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:initrc_exec_t:s0
$ ls -Z /etc/init.d/my-httpd
-rw-------. root root unconfined_u:object_r:initrc_exec_t:s0 /etc/init.d/my-httpd
At this point, I get that the context have not been defined as I would. I try to check again with matchpathcon, maybe httpd_initrc_exec_t is an alias of initrc_exec_t.
matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd has context unconfined_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0
$ restorecon -v -F /etc/init.d/my-httpd
restorecon reset /etc/rc.d/init.d/my-httpd context unconfined_u:object_r:initrc_exec_t:s0->system_u:object_r:initrc_exec_t:s0
$ matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd has context system_u:object_r:initrc_exec_t:s0, should be system_u:object_r:httpd_initrc_exec_t:s0
Then, I try to fix manually the context with chcon, but that is not the way I want to do this. It is just to check the previous alias theory.
$ chcon -t httpd_initrc_exec_t /etc/init.d/my-httpd
$ ls -Z /etc/init.d/my-httpd
-rw-------. root root system_u:object_r:httpd_initrc_exec_t:s0 /etc/init.d/my-httpd
$ matchpathcon -V /etc/init.d/my-httpd
/etc/init.d/my-httpd verified.
$ restorecon -v /etc/init.d/my-httpd
restorecon reset /etc/rc.d/init.d/my-httpd context system_u:object_r:httpd_initrc_exec_t:s0->system_u:object_r:initrc_exec_t:s0
These contexts do not seem to be aliases, but there is still a strange behavior with restorecon command, and I have planned to use its functionality.
Is there an other way to define this SELinux context or maybe have I done something wrong ?
Best Answer
The Red Hat support told me the right way to operate. The context shall be set for /etc/rc.d/init.d/my-httpd and not for /etc/init.d/my-httpd.
Once the correct context rule set, restorecon works on /etc/init.d/my-httpd file.