On Monday 09 January 2012 12:06:04 Bennett Haselton wrote: > On 1/9/2012 3:41 AM, Tony Molloy wrote: > > First I'm no SELinux expert ;-( but I've ben following this > > thread with interest. It apears to be going around in circles. > > > > The only time I've come across a file_t type is when I have > > something on a machine that SELinux doesn't know about. That is > > SELinux has no policy for it. An example would be if I create a > > new top level directory when I install a machine. SELinux knows > > nothing about that directory name and has no preset type for it > > so it gets a label of file_t or default_t. Doing a relabel in > > that case will have no affect on the file label as SELinux still > > doesn't have a policy for it. > > > > So the question is how did your file get the file_t type in the > > first place. You say it is generated from a cgi script run from > > apache. > > > > So is this the default apache which comes with CentOS > > > > What is the context of the apache executable. It should be > > -rwxr-xr-x root root system_u:object_r:httpd_exec_t > > /usr/sbin/httpd > > Yes that's what I've got. > Ok so apache is corectly labelled. > > Where in the filesystem is the cgi script located. How did it get > > there. > > > > What is the context of the cgi script > > > > What is the context of the directory the cgi script is in. > > [root at g6950-21025 ~]# ls -lZ /var/www/cgi-bin/capture.cgi > -rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t > /var/www/cgi-bin/capture.cgi > [root at g6950-21025 ~]# ls -ldZ /var/www/cgi-bin/ > drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t > /var/www/cgi-bin/ > > The script got there because I uploaded it there. The reason I asked that was because how the script got there can determine it's context. For instance: cp: gives it the correct context of the directory it was copied into mv: does not, it preserves the original context But the above context(s) look ok > > > What is the context of /tmp. It should be > > drwxrwxrwt root root system_u:object_r:tmp_t /tmp > > Yep. > [root at g6950-21025 ~]# ls -ldZ /tmp > drwxrwxrwt root root system_u:object_r:tmp_t /tmp > Ok that's fine. > > Regards > > > > Tony Now try a little experiment # touch /tmp/x.x # ls -alZ /tmp/x.x should have the following context -rw-r--r-- root root root:object_r:tmp_t x.x You can also try copying and moving a file to /tmp and check the context after each to see the difference. Then delete the file created by your script from /tmp and run your cgi script by hand. What is the context of the file now created. Regards, Tony