-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/09/2012 03:24 PM, Tony Molloy wrote:
On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote:
On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
SELinux has no idea what the labels are in /tmp, so restorecon will not change the labels. It would be best to just remove the content from /tmp and allow new content to be created. If you want the content to be accessible from apache, you could change it to httpd_tmp_t
chcon -t httpd_tmp_t /tmp/PATH
But isn't there a policy for default labelling of arbitrary files put in /tmp? I mean, when apache puts a file in /tmp, it should be labelled *somehow*, according to the rules for apache and/or the /tmp directory, right? This should happen in both enforcing and permissive modes.
So is the default type label for such a case file_t? If it is, it's a bug, since SELinux would deny subsequent access to that file, per policy, right?
If I understood the OP correctly, he enabled SELinux (into permissive mode), relabeled the whole filesystem, rebooted several times, and after all that apache creates a file in /tmp with a label file_t. AFAIK, this should *never* happen, with the default policy.
Exactly as I thought. If I touch a file or cp a file into /tmp then it's labelled as tmp_t not file_t. On the other hand if I mv a file in it retains it's original type. So how could a file created in /tmp get a file_t type.
That's why I asked the OP to delete the file and run the script which creates the file by hand.
Tony _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/cento
file_t means the file has no label, so the only way to create this type of file would be to remove the security attributes on the file. On an SELinux system, file_t should never be created, they are only created on a disabled SELinux system. I guess you could try to use chcon -t file_t on a file, but I believe the kernel will block that. Or you could attempt to delete the SELinux label, but that might also be denied.