On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote:
On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
SELinux has no idea what the labels are in /tmp, so restorecon will not change the labels. It would be best to just remove the content from /tmp and allow new content to be created. If you want the content to be accessible from apache, you could change it to httpd_tmp_t
chcon -t httpd_tmp_t /tmp/PATH
But isn't there a policy for default labelling of arbitrary files put in /tmp? I mean, when apache puts a file in /tmp, it should be labelled *somehow*, according to the rules for apache and/or the /tmp directory, right? This should happen in both enforcing and permissive modes.
So is the default type label for such a case file_t? If it is, it's a bug, since SELinux would deny subsequent access to that file, per policy, right?
If I understood the OP correctly, he enabled SELinux (into permissive mode), relabeled the whole filesystem, rebooted several times, and after all that apache creates a file in /tmp with a label file_t. AFAIK, this should *never* happen, with the default policy.
Exactly as I thought. If I touch a file or cp a file into /tmp then it's labelled as tmp_t not file_t. On the other hand if I mv a file in it retains it's original type. So how could a file created in /tmp get a file_t type.
That's why I asked the OP to delete the file and run the script which creates the file by hand.
Tony