[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Fri Jan 6 10:41:02 UTC 2012
On 1/6/2012 2:24 AM, Philippe Naudin wrote:
> Le ven 06 jan 2012 02:00:27 CET, Bennett Haselton a écrit:
>
>> On 1/5/2012 1:36 PM, Bennett Haselton wrote:
>> ...
>> OK, notwithstanding the fact that the filesystem on the above machine
>> needs to be re-labeled and I don't know why that's failing --
>>
>> I have another CentOS 5.7 machine where I've enabled SELinux (permissive
>> mode) and relabeled the filesystem and it actually worked, so that the
>> above commands are now giving the expected outputs:
>>
>> [root at g6950-21025 ~]# ps awuxZ | grep httpd | head -n 3
>> system_u:system_r:init_t root 2302 0.0 1.0 253056 10576
>> ? Ss 00:12 0:00 /usr/sbin/httpd
>> system_u:system_r:init_t apache 4201 0.1 2.0 274804 20968
>> ? S 01:26 0:02 /usr/sbin/httpd
>> system_u:system_r:init_t apache 4392 0.2 1.2 257308 12512
>> ? S 01:39 0:01 /usr/sbin/httpd
> Apache running as "init_t" is a call for troubles.
Is it? OK, any idea what caused that and how to fix it?
I can't find much on Google about it except this page:
http://fedoraproject.org/wiki/SELinux/EnforcePolicy
says "The init process then runs /etc/rc.d/rc.sysinit, which is labeled
initrc_exec_t. The kernel has a rule that says when init_t execs
initrc_exec_t it transitions to initrc_t. So this continues until the
httpd executable gets started as httpd_t." Even though in my case it's
not happening.
> $ ps awuxZ | grep [a]pache
> system_u:system_r:httpd_t apache ... /usr/sbin/httpd
>
>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt
>> -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t
>> /var/www/html/robots.txt
> This is correct.
>
More information about the CentOS
mailing list