[CentOS] SELinux and access across 'similar types'

Bennett Haselton bennett at peacefire.org
Sat Jan 7 02:27:05 UTC 2012


On 1/6/2012 6:16 PM, RILINDO FOSTER wrote:
> On Jan 6, 2012, at 10:35 AM, Bennett Haselton wrote:
>
>> I tried that and it worked -- the httpd processes are now listed with
>> "httpd_t" as their context, the /var/log/audit/audit.log file is listed
>> with auditd_log_t as its type instead if file_t, etc.
>>
>> I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was
>> just imaged with 5.7 when the hosting company set it up, but SELinux
>> *was* off until I turned it on.  So probably the doc should say, if the
>> "system was *installed* with 5.2, then do this" (and presumably it's 5.2
>> or later, not just 5.2).
> Either that, or the base install was an earlier version of Centos 5.x,  with SELinux turned off then upgraded to the current version.
>
>   - Rilindo

Could be in theory but if the hosting company was provisioning a new 
machine I don't know why they'd set up an earlier version and then 
upgrade, instead of just imaging the latest version at the time.

As for the original question -- when the docs say that access is allowed 
only across "similar types", what determines what counts as "similar 
types"?  How do you know for example that httpd running as type httpd_t 
can access /var/www/html/robots.txt which has type httpd_sys_content_t?

Bennett



More information about the CentOS mailing list