On 1/6/2012 5:58 AM, RILINDO FOSTER wrote: > On Jan 5, 2012, at 7:37 PM, Bennett Haselton wrote: > >> On 1/5/2012 3:14 PM, RILINDO FOSTER wrote: >>> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 01/05/2012 04:36 PM, Bennett Haselton wrote: >>>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed >>>>> between similar types, so Apache running as httpd_t can read >>>>> /var/www/html/index.html of type httpd_sys_content_t." >>>>> >>>>> however the doc doesn't define what "similar types" means. I >>>>> assumed it just meant "beginning with the same prefix". However >>>>> that can't be right because on my system with SELinux turned on, >>>>> httpd runs as type init_t: >>>>> >>>>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 >>>>> system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 >>>>> 8820 ? Ss 05:05 0:00 /usr/sbin/httpd >>>>> system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 >>>>> 8920 ? S 05:05 0:00 /usr/sbin/httpd >>>>> system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 >>>>> 8212 ? S 05:05 0:00 /usr/sbin/httpd >>>>> >>>>> and the robots.txt file has type file_t: [root at peacefire04 - /root >>>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root >>>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt >>>>> >>>>> but Apache can of course access that file. So in Type Enforcement, >>>>> what determines what process type can access what file type? >>>>> >>>>> Bennett _______________________________________________ CentOS >>>>> mailing list CentOS at centos.org >>>>> http://lists.centos.org/mailman/listinfo/centos >>>> Your machine needs to be relabeled. >>>> >>>> touch /.autorelabel >>>> reboot >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.11 (GNU/Linux) >>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>>> >>>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5 >>>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg >>>> =cIvM >>>> -----END PGP SIGNATURE----- >>>> _______________________________________________ >>>> CentOS mailing list >>>> CentOS at centos.org >>>> http://lists.centos.org/mailman/listinfo/centos >>> WARNING: If you have never enabled SELinux for long time, the boot is going to take a while as the system relabels the whole machine. Do not do this unless you can plan for an extend downtime. >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> I did do >> touch /.autorelabel >> reboot >> >> The machine booted back up in just a few minutes, what looked like >> normal reboot time. And then I ran the same commands as before and got >> what looks to me like the same output: >> >> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt >> -rw-rw-rw- root root system_u:object_r:file_t:s0 >> /var/www/html/robots.txt >> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 >> system_u:system_r:init_t:s0 root 2530 0.0 0.4 21680 8820 >> ? Ss 16:23 0:00 /usr/sbin/httpd >> system_u:system_r:init_t:s0 apache 2558 0.8 0.8 28308 16392 >> ? S 16:23 0:03 /usr/sbin/httpd >> system_u:system_r:init_t:s0 apache 2560 0.5 0.5 23248 10236 >> ? S 16:23 0:02 /usr/sbin/httpd >> >> So I'm wondering: >> 1) How did you know that the machine needed to be relabeled, was it >> something in the output of the commands the first time I ran them? and >> in that case, >> 2) Why didn't it change after I created /.autorelabel and rebooted? >> (I can confirm the file /.autorelabel is no longer present, so it must >> have been deleted when the auto-relabel was done, like the doc says.) >> 3) If the machine booted back up very quickly, should I be worried that >> the autorelabel might not have happened? Any idea if it logs a message >> somewhere if it fails to start properly? >> _______________________________________________ >> > That sort of sound like a good thing. I would suggest that you do: > > tail -f /var/log/audit/audit.log | audit2allow > > To see what type of alerts you are getting. Likely you will get a lot, as some of the file contexts may not be labeled correctly. I did that but it produces descriptions all beginning with "Summary: SELinux is preventing access to files with the label, file_t." In other words, it's describing errors that are the result of the relabeling failure, but it doesn't appear to say anything about what *caused* the relabeling failure (or if it does it's buried in so many other errors I don't know how to find it). Bennett