[CentOS] SELinux and access across 'similar types'

Bennett Haselton

bennett at peacefire.org
Thu Jan 5 21:36:29 UTC 2012


http://wiki.centos.org/HowTos/SELinux
says:
"Access is only allowed between similar types, so Apache running as 
httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."

however the doc doesn't define what "similar types" means.  I assumed it 
just meant "beginning with the same prefix".  However that can't be 
right because on my system with SELinux turned on, httpd runs as type 
init_t:

[root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680  8820 
?        Ss   05:05   0:00 /usr/sbin/httpd
system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364  8920 
?        S    05:05   0:00 /usr/sbin/httpd
system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736  8212 
?        S    05:05   0:00 /usr/sbin/httpd

and the robots.txt file has type file_t:
[root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
-rw-rw-rw-  root root system_u:object_r:file_t:s0      
/var/www/html/robots.txt

but Apache can of course access that file.  So in Type Enforcement, what 
determines what process type can access what file type?

Bennett



More information about the CentOS mailing list