[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Fri Jan 6 10:00:27 UTC 2012
On 1/5/2012 1:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux
> says:
> "Access is only allowed between similar types, so Apache running as
> httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
>
> however the doc doesn't define what "similar types" means. I assumed
> it just meant "beginning with the same prefix". However that can't be
> right because on my system with SELinux turned on, httpd runs as type
> init_t:
>
> [root at peacefire04 - /root # ps awuxZ | grep httpd | head -n 3
> system_u:system_r:init_t:s0 root 2521 0.1 0.4 21680 8820
> ? Ss 05:05 0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2550 0.0 0.4 23364 8920
> ? S 05:05 0:00 /usr/sbin/httpd
> system_u:system_r:init_t:s0 apache 2551 0.1 0.4 22736 8212
> ? S 05:05 0:00 /usr/sbin/httpd
>
> and the robots.txt file has type file_t:
> [root at peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw- root root system_u:object_r:file_t:s0
> /var/www/html/robots.txt
>
> but Apache can of course access that file. So in Type Enforcement,
> what determines what process type can access what file type?
OK, notwithstanding the fact that the filesystem on the above machine
needs to be re-labeled and I don't know why that's failing --
I have another CentOS 5.7 machine where I've enabled SELinux (permissive
mode) and relabeled the filesystem and it actually worked, so that the
above commands are now giving the expected outputs:
[root at g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3
system_u:system_r:init_t root 2302 0.0 1.0 253056 10576
? Ss 00:12 0:00 /usr/sbin/httpd
system_u:system_r:init_t apache 4201 0.1 2.0 274804 20968
? S 01:26 0:02 /usr/sbin/httpd
system_u:system_r:init_t apache 4392 0.2 1.2 257308 12512
? S 01:39 0:01 /usr/sbin/httpd
[root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw- root root system_u:object_r:httpd_sys_content_t
/var/www/html/robots.txt
[root at g6950-21025 ~]#
So, same question -- the documentation says "Access is only allowed
between similar types", but what does "similar" mean? What determines
that the httpd process, running under the "init_t" domain, can access
the robots.txt file, which has type "httpd_sys_content_t"?
More information about the CentOS
mailing list