Description of problem: this man page states that you should do this: If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local /var/ftp(/.*)? system_u:object_r:public_content_t /var/ftp/incom- ing(/.*)? system_u:object_r:public_content_rw_t There are two problems here. 1. this shows one line to put into file_contexts.local. This will result in an error, since it actually is two lines. Suggested Action: add a newline between ...:public_content_t /var/ft... 2. on rhel5 this does not actually do what you want, since the now first line allready exists and confilicts with an existing poklicy. Suggested action: rewrite the man page to reflect this. Something like: add only the last line if your default policy includes a preset context for /var/ftp(/.*)? already. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Fixed in selinux-policy-2.4.6-164.el5
Today i found out that you should indeed not edit /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local manually since it is managed dynamically by libsemanage. Instead i should use: semanage fcontext -a -t public_content_rw_t /var/ftp/incoming(/.*)? If this is already in your fix, please disregard this comment.
That is what the man page says.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html