-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/09/2012 03:00 PM, Marko Vojinovic wrote:
On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
SELinux has no idea what the labels are in /tmp, so restorecon will not change the labels. It would be best to just remove the content from /tmp and allow new content to be created. If you want the content to be accessible from apache, you could change it to httpd_tmp_t
chcon -t httpd_tmp_t /tmp/PATH
But isn't there a policy for default labelling of arbitrary files put in /tmp? I mean, when apache puts a file in /tmp, it should be labelled *somehow*, according to the rules for apache and/or the /tmp directory, right? This should happen in both enforcing and permissive modes.
So is the default type label for such a case file_t? If it is, it's a bug, since SELinux would deny subsequent access to that file, per policy, right?
If I understood the OP correctly, he enabled SELinux (into permissive mode), relabeled the whole filesystem, rebooted several times, and after all that apache creates a file in /tmp with a label file_t. AFAIK, this should *never* happen, with the default policy.
Or am I missing something?
The only way I can understand how this can happen is to conjecture that the OP has turned on SELinux and --- *before* proper relabelling of the filesystem --- customized the policy (using audit2allow) to allow apache to read/write files of type file_t (this was neither confirmed nor denied by the OP). Since this is inconsistent with other rules in the policy, my suggestion was to "reset" the policy to CentOS default and relabel everything again before making any further customizations. However, I don't know how to actually do the "reset the policy" step, since I never needed it. :-)
Is there an alternative explanation to the whole mess?
Best, :-) Marko
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you look at the file_context file you will see <<none>> which means the default label has no idea what to put in this directory
/tmp/.* <<none>>
This tells restorecon to ignore any files that match this label, to prevent it from doing the wrong thing. restorecon does not understand the difference between file_t or shadow_t or user_home_t. So it does nothing.
So the real problem here is the fact the machine booted with SELinux disabled and them kept files in /tmp. Newer versions of fixfiles attempt to delete these files if it finds them in /tmp.
UNDEFINED=`get_undefined_type` || exit $? UNLABELED=`get_unlabeled_type` || exit $? find /tmp ( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" ) ( -type s -o -type p ) -delete find /tmp ( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" ) -exec chcon --reference /tmp {} ; find /var/tmp ( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" ) -exec chcon --reference /var/tmp {} ; find /var/run ( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" ) -exec chcon --reference /var/run {} ; [ -e /var/lib/debug ] && find /var/lib/debug ( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" ) -exec chcon - --reference /lib {} ;