[CentOS] SELinux and access across 'similar types'

Sat Jan 7 12:16:56 UTC 2012
Marko Vojinovic <vvmarko at gmail.com>

On Friday 06 January 2012 18:27:05 Bennett Haselton wrote:
> On 1/6/2012 6:16 PM, RILINDO FOSTER wrote:
> > On Jan 6, 2012, at 10:35 AM, Bennett Haselton wrote:
> >> I'm pretty sure this machine was never "upgraded to CentOS 5.2", it
> >> was
> >> just imaged with 5.7 when the hosting company set it up, but SELinux
> >> *was* off until I turned it on.  So probably the doc should say, if
> >> the
> >> "system was *installed* with 5.2, then do this" (and presumably it's
> >> 5.2
> >> or later, not just 5.2).
> > 
> > Either that, or the base install was an earlier version of Centos 5.x, 
> > with SELinux turned off then upgraded to the current version.> 
> 
> Could be in theory but if the hosting company was provisioning a new
> machine I don't know why they'd set up an earlier version and then
> upgrade, instead of just imaging the latest version at the time.

How about --- the hosting company installs CentOS once (the 5.2 version) as 
their master image, turns off SELinux, and keeps updating the image over time? 
And when a customer asks for a new machine, they just make a copy of the 
current state of the master image? I guess that would be much easier (for 
them), compared to actually installing the latest version of CentOS from 
scratch, for every customer.

Why don't you ask the hosting company exactly what kind of system did they 
provide to you? Since SELinux was off by default, it certainly is not just a 
default installation of CentOS 5.7 (nor any other version of CentOS). They 
obviously made some manual after-install customizations before they handed you 
the system.

IMHO, if a hosting company does that sort of things (especially turning off 
SELinux), I wouldn't touch them with a ten-foot pole. Who knows what else they 
might have customized, in their infinite wisdom... :-)

Care to share the name of that hosting company?

> As for the original question -- when the docs say that access is allowed
> only across "similar types", what determines what counts as "similar
> types"?  How do you know for example that httpd running as type httpd_t
> can access /var/www/html/robots.txt which has type httpd_sys_content_t?

AFAIK, the interactions between various labels (ie. rules "who can access 
what") are determined by the SELinux targeted policy (the selinux-policy-
targeted package). These rules evolve over time (the package sometimes gets 
updated and your filesystem autorelabeled to match), and IIRC they can get 
pretty complicated. You want to look inside that package to find all the rules.

But in usual circumstances you shouldn't need to know any details, just let 
the system label the files as they are supposed to be labeled, and everything 
should Just Work (tm). If you need to customize something, you can use 
semanage&restorecon to override the default policy.

HTH, :-)
Marko