-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/07/2012 09:21 PM, Gordon Messmer wrote:
On 01/05/2012 01:36 PM, Bennett Haselton wrote:
http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
however the doc doesn't define what "similar types" means.
That is a gross oversimplification. Access is allowed based on a policy, and no "similarity" between types is required.
If you'd like to see what is allowed, you'll have to get the selinux-policy src.rpm and unpack it to examine the source for the policy. It sucks, but as far as I know, no more user-friendly method exists.
and the robots.txt file has type file_t: [root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:file_t:s0 /var/www/html/robots.txt
but Apache can of course access that file.
If apache can access a mislabeled file, then either SELinux is disabled or in permissive mode. Use "getenforce" to determine which. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
man sesearch
sesearch -A -s httpd_t -C
WIll show you all the allow rules for the apache service.