On Sunday 08 January 2012 04:31:05 Bennett Haselton wrote:
[root@g6950-21025 ~]# ls -lZ /tmp/hostname_SKYSLICE.INFO -rw-r--r-- apache apache system_u:object_r:file_t /tmp/hostname_SKYSLICE.INFO [root@g6950-21025 ~]# restorecon -v /tmp/hostname_SKYSLICE.INFO [root@g6950-21025 ~]# ls -lZ /tmp/hostname_SKYSLICE.INFO -rw-r--r-- apache apache system_u:object_r:file_t /tmp/hostname_SKYSLICE.INFO [root@g6950-21025 ~]#
Well...
With this output I would say that your policy has been customized to have file_t as the default label for that file. Have you used audit2allow on that machine before the filesystem was properly relabeled?
I am not sure at this point, but I would say that your SELinux policy has been customized into an inconsistent state (since no file should have the type file_t by default, and yet restorecon says that this is the default label for that file). However, I don't know how to reset the customizations once they have been made (except for the brute force method).
I have never had any machine with SELinux in this kind of state, so I am a bit wary of giving you further advice on this matter. Also, you should probably start a new thread about this problem (quoting the above restorecon output and a brief history of the machine), since more eyeballs would be good in this situation.
As for the brute force method, it would go on the lines of
* disable SELinux * reboot * delete all policy files in /etc/selinux/ * reinstall selinux-policy-targeted via yum * enable SELinux for the next reboot * prepare the autorelabel * reboot
The idea is to get you back to the CentOS default for both the policy and the file labels. However, there may be gotchas above or a more elegant way to restore the default policy, so someone else might chime in with a better advice (Dan?).
HTH, :-) Marko