[CentOS] SELinux and access across 'similar types'

Daniel J Walsh dwalsh at redhat.com
Thu Jan 5 21:46:54 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2012 04:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
> between similar types, so Apache running as httpd_t can read
> /var/www/html/index.html of type httpd_sys_content_t."
> 
> however the doc doesn't define what "similar types" means.  I
> assumed it just meant "beginning with the same prefix".  However
> that can't be right because on my system with SELinux turned on,
> httpd runs as type init_t:
> 
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3 
> system_u:system_r:init_t:s0     root      2521  0.1  0.4  21680
> 8820 ?        Ss   05:05   0:00 /usr/sbin/httpd 
> system_u:system_r:init_t:s0     apache    2550  0.0  0.4  23364
> 8920 ?        S    05:05   0:00 /usr/sbin/httpd 
> system_u:system_r:init_t:s0     apache    2551  0.1  0.4  22736
> 8212 ?        S    05:05   0:00 /usr/sbin/httpd
> 
> and the robots.txt file has type file_t: [root at peacefire04 - /root
> # ls -lZ /var/www/html/robots.txt -rw-rw-rw-  root root
> system_u:object_r:file_t:s0 /var/www/html/robots.txt
> 
> but Apache can of course access that file.  So in Type Enforcement,
> what determines what process type can access what file type?
> 
> Bennett _______________________________________________ CentOS
> mailing list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos


Your machine needs to be relabeled.

touch /.autorelabel
reboot

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
lFkAnjLTi3zphekGomv04ZyMu0sOuopg
=cIvM
-----END PGP SIGNATURE-----



More information about the CentOS mailing list