On Monday 09 January 2012 12:06:04 Bennett Haselton wrote:
On 1/9/2012 3:41 AM, Tony Molloy wrote:
First I'm no SELinux expert ;-( but I've ben following this thread with interest. It apears to be going around in circles.
The only time I've come across a file_t type is when I have something on a machine that SELinux doesn't know about. That is SELinux has no policy for it. An example would be if I create a new top level directory when I install a machine. SELinux knows nothing about that directory name and has no preset type for it so it gets a label of file_t or default_t. Doing a relabel in that case will have no affect on the file label as SELinux still doesn't have a policy for it.
So the question is how did your file get the file_t type in the first place. You say it is generated from a cgi script run from apache.
So is this the default apache which comes with CentOS
What is the context of the apache executable. It should be -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
Yes that's what I've got.
Ok so apache is corectly labelled.
Where in the filesystem is the cgi script located. How did it get there.
What is the context of the cgi script
What is the context of the directory the cgi script is in.
[root@g6950-21025 ~]# ls -lZ /var/www/cgi-bin/capture.cgi -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/capture.cgi [root@g6950-21025 ~]# ls -ldZ /var/www/cgi-bin/ drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/
The script got there because I uploaded it there.
The reason I asked that was because how the script got there can determine it's context.
For instance:
cp: gives it the correct context of the directory it was copied into mv: does not, it preserves the original context
But the above context(s) look ok
What is the context of /tmp. It should be drwxrwxrwt root root system_u:object_r:tmp_t /tmp
Yep. [root@g6950-21025 ~]# ls -ldZ /tmp drwxrwxrwt root root system_u:object_r:tmp_t /tmp
Ok that's fine.
Regards
Tony
Now try a little experiment
# touch /tmp/x.x
# ls -alZ /tmp/x.x
should have the following context
-rw-r--r-- root root root:object_r:tmp_t x.x
You can also try copying and moving a file to /tmp and check the context after each to see the difference.
Then delete the file created by your script from /tmp and run your cgi script by hand.
What is the context of the file now created.
Regards, Tony