[CentOS] SELinux and access across 'similar types'

Mon Jan 9 20:29:59 UTC 2012
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2012 03:24 PM, Tony Molloy wrote:
> On Monday 09 January 2012 20:00:29 Marko Vojinovic wrote:
>> On Monday 09 January 2012 11:45:26 Daniel J Walsh wrote:
>>> SELinux has no idea what the labels are in /tmp, so restorecon 
>>> will not change the labels.  It would be best to just remove
>>> the content from /tmp and allow new content to be created.  If
>>> you want the content to be accessible from apache, you could
>>> change it to httpd_tmp_t
>>> 
>>> chcon -t httpd_tmp_t /tmp/PATH
>> 
>> But isn't there a policy for default labelling of arbitrary
>> files put in /tmp? I mean, when apache puts a file in /tmp, it
>> should be labelled *somehow*, according to the rules for apache
>> and/or the /tmp directory, right? This should happen in both
>> enforcing and permissive modes.
>> 
>> So is the default type label for such a case file_t? If it is,
>> it's a bug, since SELinux would deny subsequent access to that
>> file, per policy, right?
>> 
>> If I understood the OP correctly, he enabled SELinux (into 
>> permissive mode), relabeled the whole filesystem, rebooted
>> several times, and after all that apache creates a file in /tmp
>> with a label file_t. AFAIK, this should *never* happen, with the
>> default policy.
>> 
> 
> Exactly as I thought. If I touch a file or cp a file into /tmp then
> it's labelled as tmp_t not file_t. On the other hand if I mv a file
> in it retains it's original type. So how could a file created in
> /tmp get a file_t type.
> 
> That's why I asked the OP to delete the file and run the script
> which creates the file by hand.
> 
> Tony _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/cento

file_t means the file has no label, so the only way to create this
type of file would be to remove the security attributes on the file.
On an SELinux system, file_t should never be created, they are only
created on a disabled SELinux system.  I guess you could try to use
chcon -t file_t on a file, but I believe the kernel will block that.
Or you could attempt to delete the SELinux label, but that might also
be denied.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LTkcACgkQrlYvE4MpobOQKwCfVN6EhzsP2a7Wi+ZwA/PgQpTC
L8QAoN+w+lkuYqMY1T78e08ZmTkG3aa3
=xUSZ
-----END PGP SIGNATURE-----