[CentOS] SELinux and access across 'similar types'

Sun Jan 8 12:38:31 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/7/2012 6:25 PM, Gordon Messmer wrote:
> On 01/06/2012 01:36 AM, Bennett Haselton wrote:
>> So I still don't know: after creating /.autorelabel (and verifying that
>> it's there), and rebooting the system (and then verifying that the
>> /.autorelabel file has been deleted, which is supposed to mean the
>> auto-relabel actually happened), why am I still seeing the file type
>> listed as file_t?
> Either SELinux is disabled or your filesystem doesn't support extended
> attributes.
[root at g6950-21025 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

(same thing happens if I switch to "enforcing", although then things 
start breaking instead of logging warnings)

> Check /proc/cmdline to see if the kernel was instructed to disable
> SELinux

[root at g6950-21025 ~]# cat /proc/cmdline
ro root=/dev/sys-0n1f/root

Not sure what that means but I assume it doesn't force SELinux to be 
disabled.

> and check /etc/sysconfig/selinux.

[root at g6950-21025 ~]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
[root at g6950-21025 ~]#


Note: SELinux is logging warnings (while in permissive mode) to 
/var/log/audit/audit.log whenever httpd interacts with one of the files 
like /tmp/hostname_SKYSLICE.INFO . Presumably that means it's not 
disabled; SELinux is on, but the file still hasn't been relabeled.

> Check /proc/mounts to see what filesystem type your system is using.
[root at g6950-21025 ~]# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw,data=ordered 0 0
/dev /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
/sys /sys sysfs rw 0 0
none /selinux selinuxfs rw 0 0
/proc/bus/usb /proc/bus/usb usbfs rw 0 0
devpts /dev/pts devpts rw 0 0
/dev/sys-0n1f/vartmp /var/tmp ext3 rw,nosuid,noexec,data=ordered 0 0
/dev/sys-0n1f/tmp /tmp ext3 rw,nosuid,noexec,data=ordered 0 0
/dev/sda1 /boot ext3 rw,data=ordered 0 0
tmpfs /dev/shm tmpfs rw,nosuid,noexec 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
/etc/auto.misc /misc autofs 
rw,fd=7,pgrp=2217,timeout=300,minproto=5,maxproto=5,indirect 0 0
-hosts /net autofs 
rw,fd=13,pgrp=2217,timeout=300,minproto=5,maxproto=5,indirect 0 0
> Use "tune2fs -l" to see if an ext3/4 filesystem has the "user_xattr" option.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
In the output above,
/dev/root
/dev/sys-0n1f/vartmp
/dev/sys-0n1f/tmp
/dev/sda1

were all listed as ext3, and when I ran "tune2fs -l" on each of them, 
the output included the line
Default mount options:    user_xattr acl

Bennett