[CentOS] SELinux and access across 'similar types'

Bennett Haselton bennett at peacefire.org
Sat Jan 7 12:43:31 UTC 2012


On 1/7/2012 4:16 AM, Marko Vojinovic wrote:
> On Friday 06 January 2012 18:27:05 Bennett Haselton wrote:
>> On 1/6/2012 6:16 PM, RILINDO FOSTER wrote:
>>> On Jan 6, 2012, at 10:35 AM, Bennett Haselton wrote:
>>>> I'm pretty sure this machine was never "upgraded to CentOS 5.2", it
>>>> was
>>>> just imaged with 5.7 when the hosting company set it up, but SELinux
>>>> *was* off until I turned it on.  So probably the doc should say, if
>>>> the
>>>> "system was *installed* with 5.2, then do this" (and presumably it's
>>>> 5.2
>>>> or later, not just 5.2).
>>> Either that, or the base install was an earlier version of Centos 5.x,
>>> with SELinux turned off then upgraded to the current version.>
>> Could be in theory but if the hosting company was provisioning a new
>> machine I don't know why they'd set up an earlier version and then
>> upgrade, instead of just imaging the latest version at the time.
> How about --- the hosting company installs CentOS once (the 5.2 version) as
> their master image, turns off SELinux, and keeps updating the image over time?
> And when a customer asks for a new machine, they just make a copy of the
> current state of the master image? I guess that would be much easier (for
> them), compared to actually installing the latest version of CentOS from
> scratch, for every customer.
>
> Why don't you ask the hosting company exactly what kind of system did they
> provide to you? Since SELinux was off by default, it certainly is not just a
> default installation of CentOS 5.7 (nor any other version of CentOS). They
> obviously made some manual after-install customizations before they handed you
> the system.
>
> IMHO, if a hosting company does that sort of things (especially turning off
> SELinux), I wouldn't touch them with a ten-foot pole. Who knows what else they
> might have customized, in their infinite wisdom... :-)
>
> Care to share the name of that hosting company?

Virtually every hosting company I've ever bought a CentOS server from 
has had SELinux turned off by default.  (So, a partial list would 
include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho), 
AeroVPS (sells dedicated servers despite their name), Netelligent, 
ServerBeach and I don't remember all the others).  Don't hold me to that 
list 100% since some might have changed their policies for new servers 
but it's pretty universal.

What hosting company sells sub-$100 unmanaged CentOS dedicated servers 
and *doesn't* have SELinux turned off?

>> As for the original question -- when the docs say that access is allowed
>> only across "similar types", what determines what counts as "similar
>> types"?  How do you know for example that httpd running as type httpd_t
>> can access /var/www/html/robots.txt which has type httpd_sys_content_t?
> AFAIK, the interactions between various labels (ie. rules "who can access
> what") are determined by the SELinux targeted policy (the selinux-policy-
> targeted package). These rules evolve over time (the package sometimes gets
> updated and your filesystem autorelabeled to match), and IIRC they can get
> pretty complicated. You want to look inside that package to find all the rules.
OK.  Is it easy to "look inside the package" and where would I look?
> But in usual circumstances you shouldn't need to know any details, just let
> the system label the files as they are supposed to be labeled, and everything
> should Just Work (tm). If you need to customize something, you can use
> semanage&restorecon to override the default policy.
>
> HTH, :-)
> Marko
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list