[CentOS] SELinux and access across 'similar types'

Bennett Haselton bennett at peacefire.org
Fri Jan 6 10:41:02 UTC 2012


On 1/6/2012 2:24 AM, Philippe Naudin wrote:
> Le ven 06 jan 2012 02:00:27 CET, Bennett Haselton a écrit:
>
>> On 1/5/2012 1:36 PM, Bennett Haselton wrote:
>> ...
>> OK, notwithstanding the fact that the filesystem on the above machine
>> needs to be re-labeled and I don't know why that's failing --
>>
>> I have another CentOS 5.7 machine where I've enabled SELinux (permissive
>> mode) and relabeled the filesystem and it actually worked, so that the
>> above commands are now giving the expected outputs:
>>
>> [root at g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3
>> system_u:system_r:init_t        root      2302  0.0  1.0 253056 10576
>> ?        Ss   00:12   0:00 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    4201  0.1  2.0 274804 20968
>> ?        S    01:26   0:02 /usr/sbin/httpd
>> system_u:system_r:init_t        apache    4392  0.2  1.2 257308 12512
>> ?        S    01:39   0:01 /usr/sbin/httpd
> Apache running as "init_t" is a call for troubles.
Is it?  OK, any idea what caused that and how to fix it?

I can't find much on Google about it except this page:
http://fedoraproject.org/wiki/SELinux/EnforcePolicy
says "The init process then runs /etc/rc.d/rc.sysinit, which is labeled 
initrc_exec_t. The kernel has a rule that says when init_t execs 
initrc_exec_t it transitions to initrc_t. So this continues until the 
httpd executable gets started as httpd_t."  Even though in my case it's 
not happening.

> $ ps awuxZ | grep [a]pache
> system_u:system_r:httpd_t       apache   ...  /usr/sbin/httpd
>
>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>> -rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t
>> /var/www/html/robots.txt
> This is correct.
>




More information about the CentOS mailing list