selinux versus chcon

devzero2000 pinto.elia at
Mon Sep 19 19:10:10 UTC 2011

Sorry for the top posting. No, chcon is not necessary in your example.
Perhaps the advice message is wrong, or it is something historical.

2011/9/19, Fulko Hew <fulko.hew at>:
> I've reviewing my buildRPM spec file so that it works in newer distributions
> (currently playing with RHEL 5.6), but my question is applicable to
> Fedora xxx as well.
> During the development of my package, I had encountered issues with my
> build and install procedures during the slow migration/acceptance of
> SELinux.
> In my %post part of my spec file I had added both chcon commands and
> semanage commands and restorecon commands.  As time goes by I've
> forgotten why I used chcon versus semanage, and why I needed the
> restorecon command at all.  :-(
> (Today's issue is setroubleshoot browser is recommending I use a chcon
> command to add httpd_sys_content_t to /var/cache/fontconfig/*)
> My spec file currently contains this:
> %{_bindir}/chcon -t httpd_sys_script_exec_t
> /var/www/html/nia/scripts/* 2>/dev/null
> semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nia/tmp'
> 2>/dev/null
> restorecon -v '/var/www/html/nia/tmp' 2>/dev/null
> >From what I can remember:
> 1/ I added the 'chcon' so that my scripts are executable by apache.
> 2/ I used semanage to make my temp directory writable by my scripts
> 3/ I needed the 'restorecon' to 'make the semanage stuff 'sticky'.
> >From what I've been able to read:
> chcon affects the filesystem, whereas
> semanage affects 'policy' and
> restorecon  is used to 're-affect the filesystem according to policy'
> (set by semanage (and others)).
> Is this a valid interpretation?
> If so... why use chcon versus the semanage/restorecon technique?
> or if my assesement is wrong... can someone point me to a better
> explanation/tutorial?
> Fulko
> --
> devel mailing list
> devel at

Inviato dal mio dispositivo mobile

More information about the Rpm-list mailing list