I’ve been spending a few hours making sure my multi-instance Apache servers play nice with SELinux in “Enforcing” mode and accidentally stumbled across something that got me all quizzical.
A quick request on the #selinux-fedora IRC channel on freenode.net clarified the whole thing, but I thought it worth posting so I won’t forget.
You may have realized, if you’ve read any of the other posts in this blog, that I have a multi-instance Apache Server configuration that shares a single GFS2 file system between two OS instances (they’re actually VMs) and I hosts a few different WordPress blogs and a Photo Gallery using this configuration. The pictures and source files for the blogs and gallery are mounted at a non-standard location (non-standard in a Fedora/httpd context) and since I recently re-enabled SELinux in my environment and set it to “Enforcing”, I’ve had to make some additions to the file context (fcontext) portions of the SELinux policy so as to ensure that any “.autorelabel” and # restorecon commands will set the wordpress and gallery source files to the correct file context (fcontext).
Basically, I’ve been creating file context regular expressions that align with my web server layout using the # semanage fcontext -a -t <context> “<file path regex>” command. At the time I created the contexts, I never noticed the fact that I was using two different contexts (they both worked, so it wasn’t obvious to me that I’d done this);
httpd_sys_rw_context_t
httpd_sys_content_rw_t
But, when I ran ” #restorecon -RFv <path to html root>” from both of my OS instances, I noticed that they were both labeling the same (shared) directories with the two different fcontexts. And that made me wonder… What on earth was/is the difference between the two (and, secondarily, why do they both exist)?
To answer the first question first; “What on earth is the difference between the httpd_sys_rw_content_t fcontext and the httpd_sys_content_rw_t fcontext?”;
None! Zip! Nada! They’re aliases of each other and have the exact same meaning. Thus, if you have a directory where you wish to let the httpd (Apache) server write to – for instance an “upload” folder – you can set it to either context and SELinux will let the HTTPD Daemon write to the location as long as the remaining UNIX permissions are correct.
The 2nd question is harder to answer (or, in other words; I don’t have an authoritative answer to that question), but I can speculate that it’s a compatibility “play” to not break previously set fcontexts (“previously” being “fcontexts set by other selinux-policy versions and/or previous versions of the Fedora distribution itself”).