[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Sat Jan 7 02:27:05 UTC 2012
On 1/6/2012 6:16 PM, RILINDO FOSTER wrote:
> On Jan 6, 2012, at 10:35 AM, Bennett Haselton wrote:
>
>> I tried that and it worked -- the httpd processes are now listed with
>> "httpd_t" as their context, the /var/log/audit/audit.log file is listed
>> with auditd_log_t as its type instead if file_t, etc.
>>
>> I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was
>> just imaged with 5.7 when the hosting company set it up, but SELinux
>> *was* off until I turned it on. So probably the doc should say, if the
>> "system was *installed* with 5.2, then do this" (and presumably it's 5.2
>> or later, not just 5.2).
> Either that, or the base install was an earlier version of Centos 5.x, with SELinux turned off then upgraded to the current version.
>
> - Rilindo
Could be in theory but if the hosting company was provisioning a new
machine I don't know why they'd set up an earlier version and then
upgrade, instead of just imaging the latest version at the time.
As for the original question -- when the docs say that access is allowed
only across "similar types", what determines what counts as "similar
types"? How do you know for example that httpd running as type httpd_t
can access /var/www/html/robots.txt which has type httpd_sys_content_t?
Bennett
More information about the CentOS
mailing list