Restorecon doesn't relabel /usr/sbin/httpd

skafiend · June 11, 2025, 8:06pm

Hi. I’m going through this manual 3.2. Unconfined Processes | SELinux User's and Administrator's Guide | Red Hat Enterprise Linux | 7 | Red Hat Documentation, and something weird has happened. First, /usr/sbin/httpd already had the bin_t type, and second, restorecon -v /usr/sbin/httpd seems to do nothing, even though it’s supposed to change bin_t to httpd_exec_t according to the guide

Unconfined

root@linux:~/# systemctl stop httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/# chcon -t bin_t /usr/sbin/httpd 
root@linux:~/# systemctl start httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/#  ps -eZ | grep httpd
system_u:system_r:unconfined_service_t:s0 1507656 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1507676 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1507677 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1507678 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1507711 ? 00:00:00 httpd
root@linux:~/# ls -Z /usr/sbin/httpd 
unconfined_u:object_r:bin_t:s0 /usr/sbin/httpd

restorecon

root@linux:~/# systemctl stop httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/# restorecon -vv -F /usr/sbin/httpd 
Relabeled /usr/sbin/httpd from unconfined_u:object_r:bin_t:s0 to system_u:object_r:bin_t:s0
root@linux:~/# ls -Z /usr/sbin/httpd 
system_u:object_r:bin_t:s0 /usr/sbin/httpd
root@linux:~/# systemctl restart httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/#  ps -eZ | grep httpd
system_u:system_r:unconfined_service_t:s0 1533886 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1533887 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1533888 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1533889 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 1533924 ? 00:00:00 httpd

Finally, confined

root@linux:~/# systemctl stop httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/# chcon -t httpd_exec_t /usr/sbin/httpd 
root@linux:~/# ls -Z /usr/sbin/httpd 
system_u:object_r:bin_t:s0 /usr/sbin/httpd
root@linux:~/# systemctl restart httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/#  ps -eZ | grep httpd
system_u:system_r:httpd_t:s0       7870 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0       7871 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0       7872 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0       7873 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0       7904 ?        00:00:00 httpd

I’m baffled a little because I can only change the type manually and ls -Z shows the bin_t type after it has been changed.

skafiend · June 11, 2025, 8:14pm

nvm. turns out /usr/sbin/httpd is just a symlink to /bin/httpd

root@linux:~/# lsd -Z /usr/sbin/httpd 
system_u:object_r:bin_t:s0  /usr/sbin/httpd ⇒ ../bin/httpd
root@linux:~/# lsd -Z /bin/httpd 
system_u:object_r:httpd_exec_t:s0  /bin/httpd

I still don’t know what’s wrong with restorecon tho.

skafiend · June 11, 2025, 8:19pm

Finally, I had to apply restorecon to the actual file instead of the symlink

https://unix.stackexchange.com/questions/303331/how-does-restorecon-handle-links

root@linux:~/# systemctl stop httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/# chcon -t bin_t /bin/httpd
root@linux:~/# ls -Z /bin/httpd 
system_u:object_r:bin_t:s0 /bin/httpd
root@linux:~/# systemctl restart httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/#  ps -eZ | grep httpd
system_u:system_r:unconfined_service_t:s0 32696 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 32717 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 32718 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 32719 ? 00:00:00 httpd
system_u:system_r:unconfined_service_t:s0 32754 ? 00:00:00 httpd
root@linux:~/# systemctl stop httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/# restorecon /bin/ht
htcacheclean  htdbm         htdigest      htpasswd      httpd         httxt2dbm
root@linux:~/# restorecon -vv -F /bin/httpd
Relabeled /usr/bin/httpd from system_u:object_r:bin_t:s0 to system_u:object_r:httpd_exec_t:s0
root@linux:~/# systemctl restart httpd.service 
Failed to add a watch for /run/user/0/systemd/ask-password: Permission denied
root@linux:~/#  ps -eZ | grep httpd
system_u:system_r:httpd_t:s0      34076 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      34077 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      34078 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      34079 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0      34105 ?        00:00:00 httpd

Topic		Replies	Views
Chcon: failed to change context of '/usr/local/samba/var/lib/ntp_signd' to ‘system_u:object_r:ntpd_t:s0’: Permission denied Project Discussion server-wg	0	872	May 2, 2021
Restorecon does not work on override config directories Project Discussion engineering , docs-team , workstation-wg , security-sig	5	178	February 7, 2025
Httpd not work after update system Ask Fedora selinux , server	8	122	April 10, 2025
SELinux denials for systemd processes Project Discussion silverblue-team	12	2358	September 2, 2020
Bash: /usr/bin/sudo: Permission denied? Ask Fedora f36	6	8696	October 21, 2022

Restorecon doesn't relabel /usr/sbin/httpd

Related topics