On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote: > On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote: > > SELinux has no idea what the labels are in /tmp, so restorecon > > will not change the labels. It would be best to just remove the > > content from /tmp and allow new content to be created. If you > > want the content to be accessible from apache, you could change > > it to httpd_tmp_t > > > > chcon -t httpd_tmp_t /tmp/PATH > > But isn't there a policy for default labelling of arbitrary files > put in /tmp? I mean, when apache puts a file in /tmp, it should be > labelled *somehow*, according to the rules for apache and/or the > /tmp directory, right? This should happen in both enforcing and > permissive modes. > > So is the default type label for such a case file_t? If it is, it's > a bug, since SELinux would deny subsequent access to that file, > per policy, right? > > If I understood the OP correctly, he enabled SELinux (into > permissive mode), relabeled the whole filesystem, rebooted several > times, and after all that apache creates a file in /tmp with a > label file_t. AFAIK, this should *never* happen, with the default > policy. > Exactly as I thought. If I touch a file or cp a file into /tmp then it's labelled as tmp_t not file_t. On the other hand if I mv a file in it retains it's original type. So how could a file created in /tmp get a file_t type. That's why I asked the OP to delete the file and run the script which creates the file by hand. Tony