[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Fri Jan 6 09:36:40 UTC 2012
On 1/5/2012 4:37 PM, Bennett Haselton wrote:
> On 1/5/2012 3:14 PM, RILINDO FOSTER wrote:
>> On Jan 5, 2012, at 4:46 PM, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 01/05/2012 04:36 PM, Bennett Haselton wrote:
>>>> http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed
>>>> between similar types, so Apache running as httpd_t can read
>>>> /var/www/html/index.html of type httpd_sys_content_t."
>>>>
>>>> however the doc doesn't define what "similar types" means. I
>>>> assumed it just meant "beginning with the same prefix". However
>>>> that can't be right because on my system with SELinux turned on,
>>>> httpd runs as type init_t:
>>>>
>>>> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
>>>> system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680
>>>> 8820 ? Ss 05:05 0:00 /usr/sbin/httpd
>>>> system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364
>>>> 8920 ? S 05:05 0:00 /usr/sbin/httpd
>>>> system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736
>>>> 8212 ? S 05:05 0:00 /usr/sbin/httpd
>>>>
>>>> and the robots.txt file has type file_t: [root at peacefire04 - /root
>>>> # ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root
>>>> system_u:object_r:file_t:s0 /var/www/html/robots.txt
>>>>
>>>> but Apache can of course access that file. So in Type Enforcement,
>>>> what determines what process type can access what file type?
>>>>
>>>> Bennett _______________________________________________ CentOS
>>>> mailing list CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>> Your machine needs to be relabeled.
>>>
>>> touch /.autorelabel
>>> reboot
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iEYEARECAAYFAk8GGk4ACgkQrlYvE4MpobMVkgCfVagwQqbzB2UW1+TEsrrCVhF5
>>> lFkAnjLTi3zphekGomv04ZyMu0sOuopg
>>> =cIvM
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> WARNING: If you have never enabled SELinux for long time, the boot is
>> going to take a while as the system relabels the whole machine. Do
>> not do this unless you can plan for an extend downtime.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> I did do
> touch /.autorelabel
> reboot
>
> The machine booted back up in just a few minutes, what looked like
> normal reboot time. And then I ran the same commands as before and
> got what looks to me like the same output:
>
> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw- root root system_u:object_r:file_t:s0
> /var/www/html/robots.txt
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
> system_u:system_r:init_t:s0 root 2530 0.0 0.4 21680 8820
> ? Ss 16:23 0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2558 0.8 0.8 28308 16392
> ? S 16:23 0:03 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2560 0.5 0.5 23248 10236
> ? S 16:23 0:02 /usr/sbin/httpd
>
> So I'm wondering:
> 1) How did you know that the machine needed to be relabeled, was it
> something in the output of the commands the first time I ran them? and
> in that case,
> 2) Why didn't it change after I created /.autorelabel and rebooted?
> (I can confirm the file /.autorelabel is no longer present, so it must
> have been deleted when the auto-relabel was done, like the doc says.)
> 3) If the machine booted back up very quickly, should I be worried
> that the autorelabel might not have happened? Any idea if it logs a
> message somewhere if it fails to start properly?
OK, I know why Daniel and Rilindo were telling me to relabel -- according to
http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions
and other sources, if a file is listed as type "file_t", it means the
system needs to be relabeled.
So I still don't know: after creating /.autorelabel (and verifying that
it's there), and rebooting the system (and then verifying that the
/.autorelabel file has been deleted, which is supposed to mean the
auto-relabel actually happened), why am I still seeing the file type
listed as file_t?
Bennett
More information about the CentOS
mailing list