On 1/5/2012 1:36 PM, Bennett Haselton wrote:
http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with SELinux turned on, httpd runs as type init_t:
[root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820 ? Ss 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920 ? S 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212 ? S 05:05 0:00 /usr/sbin/httpd
and the robots.txt file has type file_t: [root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt
but Apache can of course access that file. So in Type Enforcement, what determines what process type can access what file type?
OK, notwithstanding the fact that the filesystem on the above machine needs to be re-labeled and I don't know why that's failing --
I have another CentOS 5.7 machine where I've enabled SELinux (permissive mode) and relabeled the filesystem and it actually worked, so that the above commands are now giving the expected outputs:
[root@g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t root 2302 0.0 1.0 253056 10576 ? Ss 00:12 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 4201 0.1 2.0 274804 20968 ? S 01:26 0:02 /usr/sbin/httpd system_u:system_r:init_t apache 4392 0.2 1.2 257308 12512 ? S 01:39 0:01 /usr/sbin/httpd [root@g6950-21025 ~]# ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t /var/www/html/robots.txt [root@g6950-21025 ~]#
So, same question -- the documentation says "Access is only allowed between similar types", but what does "similar" mean? What determines that the httpd process, running under the "init_t" domain, can access the robots.txt file, which has type "httpd_sys_content_t"?