# semanage fcontext -a -t httpd_sys_script_exec_t '/myweb/cgi(/.*)?'
# restorecon -R -v /myweb/cgi
Semanage is a good tool for this, since it sets up the machine to permanently label these directories with this context. If the machine is later relabeled, this directory will continue to be labeled correctly. system-config-selinux also has a graphical mechanism to do this.
This is preferred over using chcon, since chcon might not survive a relabel.
If you do this labeling and the policy is updated later on with the same or slightly different context, you can have problems. I have also seen packages shipping with semanage commands in their post install to set the file context.
You can end up seeing statements like:
/etc/selinux/targeted/contexts/files/file_contexts: MultipleWhen restorecon, rpm, matchpathcon, setfiles or any other tools that reads the systems file context sees a conflict they put out this message.
different specifications for /var/lib/awstats(/.*)?
different specifications for /usr/share/awstats/wwwroot/cgi-
bin(/.*)? (system_u:object_r:httpd_sys_script_exec_t:s0 and
You can remove the conflict by using semange
# semanage fcontext -d '/var/lib/awstats(/.*)?'
One handy qualifier available at least in semanage on Fedora 9
# semanage fcontext -l -C
This command lists all the local customizations that have been made to your system. This shows that on my system the glpi program must have setup special labeling and I labeled an virtual image in /dev/mapper.
You can see similar functionality in system-config-selinux by selecting the "File Labeling" list item and then clicking on the "Customized" button.