[CentOS] SELinux and access across 'similar types'

Tue Jan 10 13:37:44 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/9/2012 8:05 PM, Marko Vojinovic wrote:
> On Monday 09 January 2012 15:29:59 Daniel J Walsh wrote:
>> file_t means the file has no label, so the only way to create this
>> type of file would be to remove the security attributes on the file.
>> On an SELinux system, file_t should never be created, they are only
>> created on a disabled SELinux system.  I guess you could try to use
>> chcon -t file_t on a file, but I believe the kernel will block that.
>> Or you could attempt to delete the SELinux label, but that might also
>> be denied.
> Ok, now I think I understand. The OP has stale files in /tmp which are not
> labelled, due to not purging /tmp on reboot. SELinux doesn't know how these
> files should be labelled, so it doesn't even try, and gives them the type
> file_t, which is a synonym for "this file doesn't have a type".
>
> So the answer for the OP is to use chcon on this file to label it somehow. If
> that doesn't work, he should delete the file and recreate it (while SELinux is
> active), so that it gets properly labelled.

OK, I did delete the files in the /tmp/ directory, and as the running 
apache process re-created them, it created them with the correct type:
[root at g6950-21025 tmp]# ls -lZ *
-rw-r--r--  apache apache system_u:object_r:httpd_sys_script_rw_t 
hostname_ICECOOK.INFO
-rw-r--r--  apache apache system_u:object_r:httpd_sys_script_rw_t 
hostname_LAZYFROG.INFO
etc.

So the documentation is missing something about clearing files out of 
/tmp/ (or they won't get relabeled properly and processes won't be able 
to access them under SELinux), but at least it's working now.

Bennett

> I learned something new today. :-) Thanks for the explanation!
>
> Best, :-)
> Marko
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos