On Friday 06 January 2012 18:27:05 Bennett Haselton wrote:
On 1/6/2012 6:16 PM, RILINDO FOSTER wrote:
On Jan 6, 2012, at 10:35 AM, Bennett Haselton wrote:
I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was just imaged with 5.7 when the hosting company set it up, but SELinux *was* off until I turned it on. So probably the doc should say, if the "system was *installed* with 5.2, then do this" (and presumably it's 5.2 or later, not just 5.2).
Either that, or the base install was an earlier version of Centos 5.x, with SELinux turned off then upgraded to the current version.>
Could be in theory but if the hosting company was provisioning a new machine I don't know why they'd set up an earlier version and then upgrade, instead of just imaging the latest version at the time.
How about --- the hosting company installs CentOS once (the 5.2 version) as their master image, turns off SELinux, and keeps updating the image over time? And when a customer asks for a new machine, they just make a copy of the current state of the master image? I guess that would be much easier (for them), compared to actually installing the latest version of CentOS from scratch, for every customer.
Why don't you ask the hosting company exactly what kind of system did they provide to you? Since SELinux was off by default, it certainly is not just a default installation of CentOS 5.7 (nor any other version of CentOS). They obviously made some manual after-install customizations before they handed you the system.
IMHO, if a hosting company does that sort of things (especially turning off SELinux), I wouldn't touch them with a ten-foot pole. Who knows what else they might have customized, in their infinite wisdom... :-)
Care to share the name of that hosting company?
As for the original question -- when the docs say that access is allowed only across "similar types", what determines what counts as "similar types"? How do you know for example that httpd running as type httpd_t can access /var/www/html/robots.txt which has type httpd_sys_content_t?
AFAIK, the interactions between various labels (ie. rules "who can access what") are determined by the SELinux targeted policy (the selinux-policy- targeted package). These rules evolve over time (the package sometimes gets updated and your filesystem autorelabeled to match), and IIRC they can get pretty complicated. You want to look inside that package to find all the rules.
But in usual circumstances you shouldn't need to know any details, just let the system label the files as they are supposed to be labeled, and everything should Just Work (tm). If you need to customize something, you can use semanage&restorecon to override the default policy.
HTH, :-) Marko