[CentOS] SELinux and access across 'similar types'
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 5 21:46:54 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/05/2012 04:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
> between similar types, so Apache running as httpd_t can read
> /var/www/html/index.html of type httpd_sys_content_t."
>
> however the doc doesn't define what "similar types" means. I
> assumed it just meant "beginning with the same prefix". However
> that can't be right because on my system with SELinux turned on,
> httpd runs as type init_t:
>
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
> system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680
> 8820 ? Ss 05:05 0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364
> 8920 ? S 05:05 0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736
> 8212 ? S 05:05 0:00 /usr/sbin/httpd
>
> and the robots.txt file has type file_t: [root at peacefire04 - /root
> # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root
> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>
> but Apache can of course access that file. So in Type Enforcement,
> what determines what process type can access what file type?
>
> Bennett _______________________________________________ CentOS
> mailing list CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Your machine needs to be relabeled.
touch /.autorelabel
reboot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
lFkAnjLTi3zphekGomv04ZyMu0sOuopg
=cIvM
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list