On Jan 5, 2012, at 7:37 PM, Bennett Haselton wrote: > On 1/5/2012 3:14 PM, RILINDO FOSTER wrote: >> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 01/05/2012 04:36 PM, Bennett Haselton wrote: >>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed >>>> between similar types, so Apache running as httpd_t can read >>>> /var/www/html/index.html of type httpd_sys_content_t." >>>> >>>> however the doc doesn't define what "similar types" means. I >>>> assumed it just meant "beginning with the same prefix". However >>>> that can't be right because on my system with SELinux turned on, >>>> httpd runs as type init_t: >>>> >>>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 >>>> system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 >>>> 8820 ? Ss 05:05 0:00 /usr/sbin/httpd >>>> system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 >>>> 8920 ? S 05:05 0:00 /usr/sbin/httpd >>>> system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 >>>> 8212 ? S 05:05 0:00 /usr/sbin/httpd >>>> >>>> and the robots.txt file has type file_t: [root at peacefire04 - /root >>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root >>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt >>>> >>>> but Apache can of course access that file. So in Type Enforcement, >>>> what determines what process type can access what file type? >>>> >>>> Bennett _______________________________________________ CentOS >>>> mailing list CentOS at centos.org >>>> http://lists.centos.org/mailman/listinfo/centos >>> >>> Your machine needs to be relabeled. >>> >>> touch /.autorelabel >>> reboot >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5 >>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg >>> =cIvM >>> -----END PGP SIGNATURE----- >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > I did do > touch /.autorelabel > reboot > > The machine booted back up in just a few minutes, what looked like > normal reboot time. And then I ran the same commands as before and got > what looks to me like the same output: > > [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt > -rw-rw-rw- root root system_u:object_r:file_t:s0 > /var/www/html/robots.txt > [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 > system_u:system_r:init_t:s0 root 2530 0.0 0.4 21680 8820 > ? Ss 16:23 0:00 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2558 0.8 0.8 28308 16392 > ? S 16:23 0:03 /usr/sbin/httpd > system_u:system_r:init_t:s0 apache 2560 0.5 0.5 23248 10236 > ? S 16:23 0:02 /usr/sbin/httpd > > So I'm wondering: > 1) How did you know that the machine needed to be relabeled, was it > something in the output of the commands the first time I ran them? and > in that case, > 2) Why didn't it change after I created /.autorelabel and rebooted? > (I can confirm the file /.autorelabel is no longer present, so it must > have been deleted when the auto-relabel was done, like the doc says.) > 3) If the machine booted back up very quickly, should I be worried that > the autorelabel might not have happened? Any idea if it logs a message > somewhere if it fails to start properly? > _______________________________________________ > That sort of sound like a good thing. I would suggest that you do: tail -f /var/log/audit/audit.log | audit2allow To see what type of alerts you are getting. Likely you will get a lot, as some of the file contexts may not be labeled correctly.