On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
SELinux has no idea what the labels are in /tmp, so restorecon will not change the labels. It would be best to just remove the content from /tmp and allow new content to be created. If you want the content to be accessible from apache, you could change it to httpd_tmp_t
chcon -t httpd_tmp_t /tmp/PATH
But isn't there a policy for default labelling of arbitrary files put in /tmp? I mean, when apache puts a file in /tmp, it should be labelled *somehow*, according to the rules for apache and/or the /tmp directory, right? This should happen in both enforcing and permissive modes.
So is the default type label for such a case file_t? If it is, it's a bug, since SELinux would deny subsequent access to that file, per policy, right?
If I understood the OP correctly, he enabled SELinux (into permissive mode), relabeled the whole filesystem, rebooted several times, and after all that apache creates a file in /tmp with a label file_t. AFAIK, this should *never* happen, with the default policy.
Or am I missing something?
The only way I can understand how this can happen is to conjecture that the OP has turned on SELinux and --- *before* proper relabelling of the filesystem --- customized the policy (using audit2allow) to allow apache to read/write files of type file_t (this was neither confirmed nor denied by the OP). Since this is inconsistent with other rules in the policy, my suggestion was to "reset" the policy to CentOS default and relabel everything again before making any further customizations. However, I don't know how to actually do the "reset the policy" step, since I never needed it. :-)
Is there an alternative explanation to the whole mess?
Best, :-) Marko