SELinux context not changed after semanage fcontext and restorecon

Verify the order in which your SELinux rules will be applied

$> cat /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/mywebsite1/data(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite1/security(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite1/misc/images(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite2/data(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite2/security(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite2/misc/images(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
mywebsite2/misc/css/apei59.css    system_u:object_r:httpd_sys_content_t:s0
/var/www/html/mywebsite2/custom(/.*)?    system_u:object_r:httpd_sys_content_rw_t:s0
/var/www/html/mywebsite2(/.*)?    system_u:object_r:httpd_sys_content_t:s0

You have the order in which the SELinux rules have been added. It is this order that will be followed when SELinux contexts are applied with restorecon (restore context) command.

I have one website that is behind an apache web server. Apache needs to have read access for most of the files but also write access for a data directory where it will write data or upload files. To get write access you need to apply httpd_sys_content_rw_t context (or httpd_sys_content_t_rw, it depends of distros).

In the output above we have several errors for the folder mywebsite2:

  • first, the httpd_sys_content_rw_t rules are applied before the last rule httpd_sys_content_t
  • secondly you needn’t the last rule, because the linux directory /var/www/html is a directory which has already the SELinux context httpd_sys_content_t, but as you know data created inside a directory inherits the SELinux from its parent directory

To correct the above rules you just have to remove the last rule. And to correct the SELinux contexts applied on the directory mywebsite2 you have to reapply the rules:

$> semanage fcontext -d "/var/www/html/mywebsite2(/.*)?"
$> restorecon -R -v /var/www/html/mywebsite2

which SELinux context will be applied if my apache web server create new files or directories in a directory that has a SELinux context?

The new files and new directories created by apache will take the SELinux context of the parent directory. Then in the case of apache it will be httpd_sys_rw_content_t (or httpd_sys_content_rw_t, it depends on the linux distro) because apache that write data means the parent directory is writable with SELinux.

restorecon -R reapply the SELinux rule to all the directories and files

When you add new files or directory manually or via apache or another process, these data inherit the SELinux context from its parent directory. Thus you needn’t to reapply the SELinux rules.

$> ls /var/www/html/mywebsite/data/
testfile1
$> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/mywebsite/data(/.*)?"
$> restorecon -R -v /var/www/html/mywebsite
restorecon reset /var/www/html/mywebsite/data/mynewtestfile context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
$> restorecon -R -v /var/www/html/mywebsite
$>
$> touch /var/www/html/mywebsite/data/mynewtestfile
$> restorecon -R -v /var/www/html/mywebsite
$>

On line 3 we define a SELinux context rule.

On line 4 we apply the existing SELinux Context rules (then it contains the rule from line 3), and thus we get this output on line 5. Line 5 the output tells us that a file has its context changed after applying the context.

On line 6 we reapply the rules, and we get no output because no file has its context changed after reapplying the rules.

Line 8 we create a new file manually, then this file is created with the SELinux context of its parent directory. Here the parent directory is data.

When we reapply the rules, there is no change, the mynewtestfile has already the good context inherited from its parent directory data.

Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable)

This error happens if you execute two or more semanage fcontext commands on the same server (from different root sessions for example).

This error interrupt the semanage action, you will have to execute it again when no other semanage fcontext is currently executed.

(13)Permission denied: AH02201: Init: Can’t open server certificate file /etc/certs/mycompany.com.crt

When you have copied your certificate, a bad SELinux has been set. Just reinitialize it:

restorecon -RvF /etc/certs/