On 1/5/2012 4:37 PM, Bennett Haselton wrote:
On 1/5/2012 3:14 PM, RILINDO FOSTER wrote:
On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/05/2012 04:36 PM, Bennett Haselton wrote:
http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with SELinux turned on, httpd runs as type init_t:
[root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820 ? Ss 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920 ? S 05:05 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212 ? S 05:05 0:00 /usr/sbin/httpd
and the robots.txt file has type file_t: [root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt
but Apache can of course access that file. So in Type Enforcement, what determines what process type can access what file type?
Bennett _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Your machine needs to be relabeled.
touch /.autorelabel reboot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5 lFkAnjLTi3zphekGomv04ZyMu0sOuopg =cIvM -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I did do touch /.autorelabel reboot
The machine booted back up in just a few minutes, what looked like normal reboot time. And then I ran the same commands as before and got what looks to me like the same output:
[root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt [root@peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 system_u:system_r:init_t:s0 root 2530 0.0 0.4 21680 8820 ? Ss 16:23 0:00 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2558 0.8 0.8 28308 16392 ? S 16:23 0:03 /usr/sbin/httpd system_u:system_r:init_t:s0 apache 2560 0.5 0.5 23248 10236 ? S 16:23 0:02 /usr/sbin/httpd
So I'm wondering:
- How did you know that the machine needed to be relabeled, was it
something in the output of the commands the first time I ran them? and in that case, 2) Why didn't it change after I created /.autorelabel and rebooted? (I can confirm the file /.autorelabel is no longer present, so it must have been deleted when the auto-relabel was done, like the doc says.) 3) If the machine booted back up very quickly, should I be worried that the autorelabel might not have happened? Any idea if it logs a message somewhere if it fails to start properly?
OK, I know why Daniel and Rilindo were telling me to relabel -- according to http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions and other sources, if a file is listed as type "file_t", it means the system needs to be relabeled.
So I still don't know: after creating /.autorelabel (and verifying that it's there), and rebooting the system (and then verifying that the /.autorelabel file has been deleted, which is supposed to mean the auto-relabel actually happened), why am I still seeing the file type listed as file_t?
Bennett